Smart Card Enrollment Control Usage Scenario

The following scenario illustrates the use of the Smart Card Enrollment control by an administrator issuing smart cards for an organization. All methods and properties referenced are provided by the Smart Card Enrollment control.

1. The administrator obtains an enrollment agent certificate (also known as a signing certificate). The private key associated with this enrollment agent certificate is used to sign a PKCS #7 request; the PKCS #7 request, in turn, contains the user's PKCS #10 request (which is signed with the user's private key).

   The administrator can use the Certificate Manager MMC snap-in to obtain an enrollment agent certificate. Note that although the administrator's enrollment agent certificate will be used to sign the certificate request, the certification authority (CA) will issue and sign the certificate that is stored on the smart card after enrollment has completed.

2. The administrator uses a machine which is running the Smart Card Enrollment Control; the machine must contain one or more smart card readers. (If the administrator's enrollment agent certificate is stored on a smart card, the machine must contain two smart card readers: one for reading the administrator's enrollment agent smart card certificate, and one for generating the user's smart card certificate).

3. The administrator sets the name of a certificate template to be used, by calling the setCertTemplateName method. An example of a certificate template name is "User". (If the administrator wants to determine the available certificate templates, the getCertTemplateCount method retrieves the number of available certificate templates, and the enumCertTemplateName method can be used to enumerate their names).

4. The administrator sets the name of a CA to be used to issue the certificate. This occurs by calling the setCAName method. (If the administrator wants to determine the available CAs, the getCACount method returns the number of available CAs, and the enumCAName method can be used to enumerate their names).

5. The administrator sets the name of a Cryptographic Service Provider (CSP) to be used. This occurs by setting the CSPName property. (If the administrator wants to determine the available CSPs, the CSPCount property contains the number of available CSPs and the enumCSPName method can be used to enumerate their names).

6. The administrator specifies a signing certificate to be used to sign the certificate request. This signing certificate is synonymous with the enrollment agent certificate obtained in Step 1. The selectSigningCertificate method invokes a user interface, allowing the administrator to choose the signing certificate. An alternative to using a user interface to select the signing certificate is to call setSigningCertificate. (After a signing certificate has been specified, the getSigningCertificateName method can be called to retrieve the subject name of the certificate). If the administrator's signing certificate is on a smart card, the smart card must be placed in the smart card reader.

7. The administrator places the user's smart card in the smart card reader. (Note that if the administrator's signing certificate is on a smart card, there would be at least two smart card readers on the machine; one reader would contain the smart card representing the administrator's enrollment agent certificate, and the other would contain the smart card which is to be issued the user certificate).

8. The administrator specifies the name of the user to be issued the certificate. This can be done in one of two ways. The administrator can invoke the Select User interface by calling the selectUserName method and choosing the user name, or the administrator can call the setUserName method to specify the desired user name.

9. The administrator requests a certificate on behalf of the user by calling the ISCrdEnr::enroll method. The CA receiving the request will verify the administrator's signature on the PKCS #7 (as well as verifying that the administrator's enrollment agent certificate was acceptable for enrolling on behalf of a user). The CA will also verify the user's signature on the PKCS #10. If the request is successful, the resulting certificate is automatically placed on the smart card.

10. [Optional] The administrator can inspect the resulting certificate by calling the getEnrolledCertificateName method.

11. The administrator removes the user's smart card and issues it to the user.

12. The administrator calls the resetUser method, which clears the user's name and certificate from the Smart Card Enrollment control's memory, thereby preparing the control for the next user's certificate enrollment.

13. The administrator repeats steps 7 through 12 for the remaining users on whose behalf the administrator is enrolling for certificates. Optionally, the administrator can change the certificate template, CA, CSP or signing certificate prior to each certificate enrollment.

Send comments about this topic to Microsoft

Build date: 3/5/2009