Smart Card Enrollment

Windows 2000 Certificate Services includes a Web-based application that allows “enrollment officers” to create smart cards for other users. The enrollment officer must first have a special “enrollment certificate,” which can only be issued by a system administrator to users explicitly permitted to perform this function. When enrolling a user, the officer selects the type of certificate template, the issuing certificate authority (CA), the cryptographic service provider (CSP) for the type of smart card being used, and the user account that he plans to enroll. With the card inserted into a reader attached to the officer’s machine, he clicks “enroll.” A prompt asks him for the PIN of the card, which he can change during the enrollment process. The smart card or its associated CSP generates a key pair, encrypts and stores the private key on the card, and sends the public key to the CA. The CA creates and signs a certificate containing the public key, sends the certificate back to the smart card, and also publishes it in Active Directory. The enrollment officer can then issue the card and PIN number to the user.