mc

Hi,

What are the minimum requirements to renew a smart card user certificate
stored on a smart card?

Is it necessary to give the user "enroll" permissions to renew an existing
certificate ?
I configured a copy of the smart card user template to allow renewal if an
existing valid certificat exists.

Thanks
MC

david cross [ms]

yes, they will still need autoenroll permission, I think we have an example
for usingf existing cert and auto-renewal in this paper:

auto-enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

mc

David, thanks for that input.

Is the auto-enroll permission enough, or must the user be granted the
"enroll" permissions too ?
In the MS do***ents you can find statements, that when autoenroll
permissions are granted user always must have enroll permissions too.

The problem would be when enroll permissions are granted, users would be
able to enroll smart card user certificates by themselves. It only should be
possible to enroll smart card user certificates by a couple of admins who
own an enrollment agent certificate.

Thx,
Mario

brian komar

In article <eps2fPDuEHA.3860@TK2MSFTNGP09.phx.gbl>, seaedsit@hotmail.com
says...

The solution is to use two certificate templates. The first, for initial
enrollment only allows the couple of admins to enroll on behalf of the
user. This is accomplished by limiting permissions to the enrollment
agents and to require the certificate request agent OID in the signing
certificate. This certificate can include a custom application policy
OID designated as the "Company" smart card

Then you can create a renewal certificate that:
- supercedes the initial certificate
- enables Read, Enroll, and Autoenroll perms to *all* smart card holders
- Requires that the request be signed with an application policy OID,
the "Company" smart card OID.

HTH,
Brian


Ths