Setting up a Smart Card Template for Self-Enrollment

Microsoft Certificate Authority (CA) provides basic smart card certificate templates. However, these standard Microsoft CA templates cannot be used as they are on Windows 2008 or Windows 2012 servers. They must be duplicated and configured first. This section shows how you can set up two Smart Card certificate templates, one that can be used to self enroll, and one that can be used to enroll certificates on a smart card on behalf of a user.

First, open up the Service Manager. Note: You cannot manage certificate templates from the default CA snap in.

Select “Active Directory Certificate Services”, Certificate Templates, right click the “Smart Card User” template and select “Duplicate Template”



The Smart Card User template is a general use template that enables computer logon, as well as signing and encryption. If you want just smart card logon, you can also select the “Smart Card Logon” template.

Select “Windows Server 2003 Enterprise”.

Note: Do not choose Windows Server 2008 Enterprise – this uses CNG (the new cryptographic subsystem) which does not support the typical smart card profile.

Rename the template.


Select the CSPs button at the bottom right of the “Request Handling” tab.



If you are using the Charismathics Smart Card Minidriver, select Microsoft Base Smart Card Crypto Provider.

If you are using Standard CSSI, select “charismathics smart security CSP”.

If this isnt showing up in the list, make sure CSSI is installed ont eh server,


Alternatively, you can choose "Requests can use any CSP available in the subject's computer".  Note that this is recommended only for testing.




Click OK, and OK again to save the template.

Go to the CA snap-in, and select the “Certificate Templates” directory. This directory contains all the templates assigned to the CA. Some templates are assigned to the CA by default.


Select “Certificate Template to issue”.

Select the certificate template you have just created. Check that the certificate template is now visible in the “Certificate Template” directory of the active CA.

You are now ready to have users self-enroll their smart card certificates.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk