000026583 - What are steps to use Microsoft CA with a SID800?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026583
Applies ToRSA Authentication Client 3.5.x
RSA SecurID SID800 Authenticator (USB token)
Microsoft CA
Microsoft Internet Explorer
IssueWhat are steps to use Microsoft CA with a SID800?
Here are Steps:

Log onto the 2008 server as administrator.
Enroll for an "Enrollment Agent" cert
User launches IE browser and accesses MS CA.
> Request a Certificate > Advanced Certificate Request > Create and Submit a Request to this
For Certificate Template select "Enrollment Agent", 
For CSP select Microsoft Enhanced Cryptographic Provider
Select "Install this certificate". This will store the cert in your Personnel browser store.
Verify by going to Internet Options/Content/Certificates/Personnel
Highlight certificate. It should say "Certificate Request Agent".
Next log onto the 2008 server as administrator and enroll for a Cert for another User .
Launch mmc
"Add/Remove Snap-ins" dialog appears.
Insert SID800 into the USB on 2008 server. (It doesn't need smart card until it tries to write the private key so you don't need to insert it here.)
Select File/Add/Remove Snap-in, 
Select "Certificates", click on Add button to add it to the right side.
Certificate Snap-in dialog appears. Accept default setting of "My User Account" and click on
Finish button. Click on OK on "Add/Remove Snap-ins" dialog.
Console1 dialog appears.
Expand Certificates Current User, Highlight Personnel.
Select Action > All Tasks > Advanced Operations > Enroll on behalf of"
Certificate Enrollment dialog appears. Click on Next button.
Select Certificate Enrollment Policy dialog appears.
Highlight "Active Directory Enrollment Policy" and click on Next button.
Select Enrollment Agent Certificate dialog appears. Click browse.
Select a certificate dialog appears.
Highlight the Enrollment Agent Certificate your just created and click OK, then click Next
Active Directory Enrollment Policy displays.
Select "Smart Card User" and click on "Details"
Request Certificate Details dialog appears
Under Private Key tab,  click on "Cryptographic Service Provider" icon
Select "Microsoft Smart Card Cryptographic Service Provider" and click OK.
Click on Next button
Select a User dialog appears.
Select the user that you are requesting the certificate for, by clicking on browser button.
Select User dialog appears.
Enter the name of the user as it appears it the Active Directory and click on OK.
Select a User dialog re-appears with the user name filled in.
Click on Enroll.
Receive message to please insert smart or if already inserted, please re-insert it.
Remove and re-insert SID800.
Enter PIN dialog appears
Enter the PIN and click OK.
Click on Close on Certificate Snap-in dialog
Close Console1, no Save necessary.
Verify by performing a cert logon as the other user.
Legacy Article IDa50796