One of the most common activities for managing an environment with smart cards is the issuing of a temporary card.
A Card Management System (CMS) usually takes care of the revocation of certificates, recycling of cards and reset of PIN. The system described in Password=BAD, SmartCards=GOOD could be better suit a Small Business if we make some minor tweaks.
This procedure will allow an administrator to issue a “Temporary Card” to a user who has left their card at home.
Create additional Smartcard User Templates
To alleviate the requirement for operators to manually administer certificates and to simplify the enrolment process, create certificate templates for each class of temporary card.
| · Open the Certification Authority MMC · Click Action > Manage |
| · Select the Smartcard User Template · Click Action > Duplicate Template Follow this procedure to create 3 Templates · 365 Day Permanent Card · 1 Day Temporary Card · 7 Day Temporary Card |
| · Select Windows Server 2003 Enterprise · Click OK |
| · Enter a Name for the Certificate Template · Change the Validity period to suit the Template type o 1 Day o 1 Week o 1 Year · Click Apply |
| · Select the Issuance Requirements Tab · Select This Number of Authorised Signatures · Enter 1 · Change Application Policy to Certificate Request Agent · Click Apply · Click OK Repeat until all Certificate Templates have been created |
| Click File > Exit |
| Certificate Templates needs to be added to the Issuing CA · Click Action > New > Certificate Template to Issue |
| · Select all new templates · Press OK |
| · Select Smartcard User · Click Action > Delete |
| · Click Yes |
Reset the Smartcard
Open .NET Utilities from the Gemalto Site
| Chances are when you pick up a Temporary Card you will not know the PIN · Try to change the PIN a few times to Block the Card |
| · Select Unblock PIN · Enter a new PIN · Confirm the new PIN · Click Unblock · Confirm successful unblock · Click OK |
| |
| · Click Manage Certificates · Select each existing certificate in turn · Press Delete |
| · Confirm correct certificate · Press OK |
| · Enter the Card PIN Note this is why we reset the PIN earlier. You could have asked the user who last held the cards but chances are this is the PIN they use for their permanent card :( |
| · Press OK |
Issue a Smartcard
| · Click > Action > Advanced Operations > Enroll On Behalf Of |
| · Click Next |
|
· Click Browse |
| · Select the Certificate created previously · Click OK |
| · Click Next |
| · Select Smartcard User · Click Properties |
| · Deselect Microsoft Strong Cryptographic Provider · Select Microsoft Base Smart Card Crypto Provider · Click Apply · Click OK |
| · Click Next |
|
· Enter the User name (including Domain) · Click Enroll |
| · Insert the Smartcard |
| See here is one of mine J |
| · Enter the Smartcards PIN |
| · Observe STATUS: Succeeded · Click Next User or Close |
No comments:
Post a Comment