To create a smartcard logon certificate template:
From the Certificate Authority server, launch the Certificate Authority management console (MMC) from Administrative Tools.
Expand the CA, right -click on the "Certificate Templates" folder and select Manage.
Right click on the "Smartcard Logon" certificate template and then select Duplicate.
The new template properties open in the General tab. Type a template name in the text box. Note that the real name automatically appears in the second text box with no spaces. Remember this name. You will need it later to configure of SAML feature. The options on this tab should be configured as follows:
Template display name: PrlsSmartcardLogon
Template name: PrlsSmartcardLogon
Validity period: 1 years
Renewal period: 6 weeks
Publish certificate in Active Directory: OFF
Do not automatically re-enroll if a duplicate certificate exists in Active Directory: OFF
Note: The display name can be any name you choose, however the template name must match the template name highlighted above.
Select the Cryptography tab and set the following:
Provider category: Legacy Cryptographic Service Provider (read-only).
Algorithm name: Determined by CSP
Minimum key size: The desired minimum key size up to 4096 bits
In the section Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers. In the following list of providers, select your desired provider.
Select the Issuance Requirements tab and set the following:
CA certificate manager approval: OFF
This number of authorized signatures: 1
Policy type required in signature: Application policy
Application policy: Certificate Request Agent
Same criteria as for enrollment: ON
Select the Security tab and do the following:
Click Add.
Add the enrollment agent user account.
Allow (select) the "Read" and "Enroll" permissions. Click Apply and OK.
To issue the certificate template that you've created:
Run Certificate Authority again and right click on Certififcate Templates, select new and click on Certificate Template to Issue.
Select the certificate template you've created in the previous steps (i.e. Prls Smarcard Logon) and click OK.
The certificate template should appear in the Certificate Templates list.
Note: After creating the Smartcard Logon template and the Enrollment Agent template (described earlier), you should restart the Active Directory Certificate Services service in Windows.
To create the Enrollment Agent template:
From the Certificate Authority server, launch the Certificate Authority management console (MMC) from Administrative Tools.
Expand the CA, right -click on the "Certificate Templates" folder and select Manage.
Right-click the Enrollment Agent template and choose Duplicate Template. The new template properties window opens. On the General tab, configure the following properties:
Template display name: PrlsEnrollmentAgent
Template name: PrlsEnrollmentAgent
Validity period: 2 years
Renewal period: 6 weeks
Publish certificate in Active Directory: ON
Do not automatically re-enroll if a duplicate certificate exists in Active Directory: OFF
Note: The display name can be any name you choose, however the template name must match the template name highlighted above.
Select the Cryptography tab and set the following values:
Provider category: Legacy Cryptographic Service Provider (read-only).
Algorithm name: Determined by CSP
Minimum key size: The desired minimum key size up to 4096 bits
In the section Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers. In the following list of providers, select your desired provider.
Select the Security tab and do the following:
Click Add.
Add the enrollment agent user account.
Allow (select) the "Read" and "Enroll" permission. Click Apply and OK.
To issue the certificate template that you've created:
Run Certificate Authority again and right click on Certificate Templates, select new and click on Certificate Template to Issue.
Select the certificate template you've created in the previous steps (i.e. Prls Enrollment Agent) and click OK.
The certificate template should appear in the Certificate Templates list.
Note: After creating the Enrollment Agent template and the Smartcard Logon template (described later), you should restart the Active Directory Certificate Services service in Windows.