|Applies To||RSA Product Set: RSA Smart Card Solutions|
RSA Product/Service Type : RSA Authentication Client
RSA Version/Condition: 3.6
Platform: Microsoft Windows
|Issue||This article explains how to store a certificate on the RSA SecurID SID800 for smart card logon to a Microsoft Windows environment.|
|Tasks|| is available via RSA Link.|
Where a third-party certificate authority is being used then refer to the following Microsoft articles:
- Microsoft Domain Controller, Microsoft Active Directory and Microsoft Certificate Authority (with the appropriate certificate templates are configured for certificate [web] enrollment). Refer to Microsoft documentation for the installation and configuration for Microsoft software.
- Microsoft has posted the certificate requirements for smart card logon.
|Resolution||This article assumes the customer will have a working Microsoft Domain Controller, Microsoft Active Directory and Microsoft Certificate Authority (with the appropriate certificate templates are configured for certificate [web] enrollment). This knowledge article is only providing an overview of steps for requesting and storing a certificate on the SID800 using RSA Authentication Client 3.6 software on a supported Microsoft Windows workstation.|
- Enter the Microsoft Certificate Authority (CA) URL ( e.g., https://[CA_hostname]/certsrv ) in a web browser.
- Depending on the Microsoft configuration the user is likely to be prompted to enter Windows credentials in a pop-up Window.
- Click the Request a certificate link from the select a task listing.
- Click advanced certificate request.
- Click Create and submit a request to this CA.
- In the Advanced Certificate Request form,
- Change the Certificate Template to Smartcard User.
- Change the CSP to Microsoft Base Smart Card Crypto Provider.
- Select an appropriate key size (default is 1024). Leave the remaining settings as default.
- Click Submit.
- After clicking Submit, the end user will be prompted to enter a PIN to access the certificate store on the SID800.
- Now the system will generate the request:
- The private key is generated and stored in the certificate store of the SID800 and after the request has been processed the end user is prompted to install a certificate. Click the Install this certificate link to complete the certificate enrollment and store the certificate on the SID800. A copy of this certificate is also stored in the userCertificate attribute of the user's properties found in Microsoft Active Directory.
- Open the RSA Authentication Client RSA Control Center and click the Certificates link to confirm the presence of the certificate.
- From a Microsoft workstation logon the end user will press Ctrl+Alt+Del to logon and may have to switch user to display the tile for Smart card logon. Clicking the Smart card logon tile will prompt the end user to enter the PIN to access the certificate store of the SID800. For example, where the end user is prompted to enter a PIN:
The RSA Authentication Client includes RSA Smart Card middleware. The middleware provides a Microsoft Minidriver based on the Microsoft Smart Card Minidriver specification and an implementation of the Public Key Cryptographic Standard #11 (PKCS #11) Application Programming Interface (API). Refer to the RSA Authentication Client documentation for more information.