Re: Certificate Renewal minimum requirements

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 10/23/04 

Date: Sat, 23 Oct 2004 07:26:09 -0500

In article <eps2fPDuEHA.3860@TK2MSFTNGP09.phx.gbl>, seaedsit@hotmail.com
says...
> David, thanks for that input.
>
> Is the auto-enroll permission enough, or must the user be granted the
> "enroll" permissions too ?
> In the MS documents you can find statements, that when autoenroll
> permissions are granted user always must have enroll permissions too.
>
> The problem would be when enroll permissions are granted, users would be
> able to enroll smart card user certificates by themselves. It only should be
> possible to enroll smart card user certificates by a couple of admins who
> own an enrollment agent certificate.
>
> Thx,
> Mario
>
The solution is to use two certificate templates. The first, for initial
enrollment only allows the couple of admins to enroll on behalf of the
user. This is accomplished by limiting permissions to the enrollment
agents and to require the certificate request agent OID in the signing
certificate. This certificate can include a custom application policy
OID designated as the "Company" smart card

Then you can create a renewal certificate that:
- supercedes the initial certificate
- enables Read, Enroll, and Autoenroll perms to *all* smart card holders
- Requires that the request be signed with an application policy OID,
the "Company" smart card OID.

HTH,
Brian

>
>
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:uWOomGDuEHA.2000@TK2MSFTNGP14.phx.gbl...
> > yes, they will still need autoenroll permission, I think we have an
> example
> > for usingf existing cert and auto-renewal in this paper:
> >
> > auto-enrollment:
> >
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> >
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "MC" <seaedsit@hotmail.com> wrote in message
> > news:etsQ$nBuEHA.3156@TK2MSFTNGP12.phx.gbl...
> > > Hi,
> > >
> > > What are the minimum requirements to renew a smart card user certificate
> > > stored on a smart card?
> > >
> > > Is it necessary to give the user "enroll" permissions to renew an
> existing
Ths

Relevant Pages

  • RE: Smartcard webenrollment gives weird errors
    ... problem when I try to issue a smart card using Microsoft Certificate Services. ... > I click Enroll, I get an unexpected error message 0x80090019. ...
    (microsoft.public.windows.server.security)
  • Smartcard Enrollment Agents
    ... I go to the certsrv website> click request a certificate> ... > select the certificate template, the ca, the CSP (Smart Card ... CSP)> signing certificate> user to enroll> and click enroll. ...
    (microsoft.public.windows.server.security)
  • Smart Card Enrollment Control (scrdenrl.dll) query 2
    ... For WS 2003 CA (Certificate Authority), I want to enroll ... template are SmartcardLogon and ExchangeUser. ... default certificate in the smart card. ...
    (microsoft.public.platformsdk.security)
  • Re: Computer and User Certificates Issues
    ... I have double checked the permissions on each duplicate certificate, ... Authenticated Users = Read ... Domain Computers = Read, Enroll, Autoenroll ... I have checked the Failed Requests folder on the CA and there are no failed ...
    (microsoft.public.security)
  • Re: Cant decrypt w/admin acct
    ... >>First off you need to rule out a permissions problem. ... >>Run mmc and select the certificate snapin for user and go ... >>used to decrypt the files. ... The certificate is a "key pair" in that the certificate is used to encrypt the files ...
    (microsoft.public.win2000.security)