Enrollment Agent & Smart Card Certificate Templates Best practices?

May 7, 2008

Hi Folks,

We are working towards enabling smart-card logon in one of our child domains

and I was curious if anyone has some best practices they would like to share

as far as the Enrollment Agent & Smart Card Certificate Templates. I have

the Microsoft Press Server 2003 PKI book on the way, but it isn't here quite

yet.

I will be duplicating the existing EA template and assigning it to their

issuing CA. I will then changing the permissions on it to only be available

to the EA security group in the domain. Should I mark the existing unused

Enrollment Agent template as superseded by this one or leave it alone? When

they are done with EA enrollment, I'll pull the template from the issuing

CA, but not delete it from AD.

I will also be duplicating the Smart Cart template and assign it to their

issuing CA I will also lock it down to their EA security group and require a

Certificate Request OID for any request.

What else should I consider? I know there is probably a ton which should be

sifted through, but it is becoming a bit of a rush job for something I fully

feel should NEVER EVER be a rush job. These things take planning, but I'm

stuck learning with trial by fire here.

The offline Root CA is 2003 Enterprise.

The existing Issuing CA is 2003 Enterprise. (Using this to duplicate the

template)

The new Issuing CA they'll be using is Server 2008 Enterprise. (Not yet

online, later today probabaly)

Thank you!

p.s.

They want to do certs for WLAN Vista clients & WAPs too, but I'll post a

different thread for that.

Recommended Posts