000031583 - Storing a certificate for smart card logon on an RSA SecurID SID800 token using RSA Authentication Client 3.6

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 29, 2019
Version 8Show Document
  • View in full screen mode

Article Content

Article Number000031583
Applies ToRSA Product Set: RSA Smart Card Solutions
RSA Product/Service Type : RSA Authentication Client 
RSA Version/Condition: 3.6
Platform: Microsoft Windows
IssueThis article explains how to store a certificate on the RSA SecurID SID800 for smart card logon to a Microsoft Windows environment.
TasksRSA Authentication Client 3.6 software and documentation is available via RSA Link.


  • Microsoft Domain Controller, Microsoft Active Directory and Microsoft Certificate Authority (with the appropriate certificate templates are configured for certificate [web] enrollment). Refer to Microsoft documentation for the installation and configuration for Microsoft software.
  • Microsoft has posted the certificate requirements for smart card logon.
Where a third-party certificate authority is being used then refer to the following Microsoft articles:

ResolutionThis article assumes the customer will have a working Microsoft Domain Controller, Microsoft Active Directory and Microsoft Certificate Authority (with the appropriate certificate templates are configured for certificate [web] enrollment). This knowledge article is only providing an overview of steps for requesting and storing a certificate on the SID800 using RSA Authentication Client 3.6 software on a supported Microsoft Windows workstation.


  1. Enter the Microsoft Certificate Authority (CA) URL ( e.g., https://[CA_hostname]/certsrv ) in a web browser.
  2. Depending on the Microsoft configuration the user is likely to be prompted to enter Windows credentials in a pop-up Window.
  3. Click the Request a certificate link from the select a task listing.
  4. Click advanced certificate request.
  5. Click Create and submit a request to this CA.
  6. In the Advanced Certificate Request form,
    1. Change the Certificate Template to Smartcard User.
    2. Change the CSP to Microsoft Base Smart Card Crypto Provider.
    3. Select an appropriate key size (default is 1024). Leave the remaining settings as default.
    4. Click Submit.

User-added image

  1. After clicking Submit, the end user will be prompted to enter a PIN to access the certificate store on the SID800.

User-added image

  1. Now the system will generate the request:

User-added image

  1.  The private key is generated and stored in the certificate store of the SID800 and after the request has been processed the end user is prompted to install a certificate. Click the Install this certificate link to complete the certificate enrollment and store the certificate on the SID800. A copy of this certificate is also stored in the userCertificate attribute of the user's properties found in Microsoft Active Directory.

User-added image

  1. Open the RSA Authentication Client RSA Control Center and click the Certificates link to confirm the presence of the certificate.

User-added image


  1. From a Microsoft workstation logon the end user will press Ctrl+Alt+Del to logon and may have to switch user to display the tile for Smart card logon. Clicking the Smart card logon tile will prompt the end user to enter the PIN to access the certificate store of the SID800.  For example, where the end user is prompted to enter a PIN:

User-added image

The RSA Authentication Client includes RSA Smart Card middleware. The middleware provides a Microsoft Minidriver based on the Microsoft Smart Card Minidriver specification and an implementation of the Public Key Cryptographic Standard #11 (PKCS #11) Application Programming Interface (API). Refer to the RSA Authentication Client documentation for more information.