This article will describe the steps for configuring the vSEC:CMS whereby it will be possible to issue certificate(s) only from a card template for smart card tokens that will not be managed. This means that the vSEC:CMS will not manage, know or have access to the smart card token administration PIN.
Note: The PKI used in this example use case will be an MS CA.
Note: The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
Step 1 - Configure Card Template
1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.
2. Select the entry and click Edit. For Smart Card Access ensure that Use minidriver if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.
6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. From User ID Options section enable Assign User ID and select the AD connection already configured.
9. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop-down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
10. Allow all other defaults for the Issue Card dialog and click Ok to save and close.
11. Click Ok to save and close the card template configuration.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop-down list select the Certificate Request Agent option.
Step 2 - Configure Settings
1. From Options - Settings select Enable card template based actions and enable the Allow actions on unregistered cards.
2. Click the Configure button and from the available card templates select the template that you wish to use and add it to Selected list and click Ok.
Step 3 - Issue Certificate
1. From Actions - Certificate(s)/keys attach a smart card token that you wish to be issued with a certificate and from the drop-down list select the card template configured in step 1 and click Issue.
2. Enter the operator PIN (Passcode) code when prompted.
3. Enter the smart card token PIN code when prompted.
4. Select a user from AD that the smart card and certificate will be assigned to.
5. When complete a short summary dialog will appear.
6. The certificate issuance is now complete. The certificate(s) will be viewable from the Certificate(s)/keys dialog now.