Certificate Renewal minimum requirements

Discussion in 'Server Security' started by MC, Oct 22, 2004.

  1. MC

    MC Guest


    What are the minimum requirements to renew a smart card user certificate
    stored on a smart card?

    Is it necessary to give the user "enroll" permissions to renew an existing
    certificate ?
    I configured a copy of the smart card user template to allow renewal if an
    existing valid certificat exists.

    MC, Oct 22, 2004
    1. Advertisements

  2. David Cross [MS], Oct 22, 2004
    1. Advertisements

  3. MC

    MC Guest

    David, thanks for that input.

    Is the auto-enroll permission enough, or must the user be granted the
    "enroll" permissions too ?
    In the MS documents you can find statements, that when autoenroll
    permissions are granted user always must have enroll permissions too.

    The problem would be when enroll permissions are granted, users would be
    able to enroll smart card user certificates by themselves. It only should be
    possible to enroll smart card user certificates by a couple of admins who
    own an enrollment agent certificate.


    MC, Oct 22, 2004
  4. MC

    Brian Komar Guest

    The solution is to use two certificate templates. The first, for initial
    enrollment only allows the couple of admins to enroll on behalf of the
    user. This is accomplished by limiting permissions to the enrollment
    agents and to require the certificate request agent OID in the signing
    certificate. This certificate can include a custom application policy
    OID designated as the "Company" smart card

    Then you can create a renewal certificate that:
    - supercedes the initial certificate
    - enables Read, Enroll, and Autoenroll perms to *all* smart card holders
    - Requires that the request be signed with an application policy OID,
    the "Company" smart card OID.


    Brian Komar, Oct 23, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.