4 creating a microsoft ca enrollment station, Creating a microsoft ca enrollment station, Station: section – HID Crescendo Integration User Manual
Page 18: Creating a microsoft ca enrollment station 2.4
Crescendo Integration Guide
47A3-905, A.1
Microsoft Windows Server 2003
Page 18 of 54
© 2008 HID Global Corporation. All rights reserved
December 1, 2008
Creating a Microsoft CA Enrollment station
2.4
In some deployments, it is convenient to issue smart card certificates to entities other than yourself. For instance, an
Administrator deploys smart card certificates to all employees of a company. In this scenario, the Administrator should
have the ability to issue smart card certificates to all persons who must have a smart card.
For Administrators issuing smart card certificates to entities other than themselves, they set up a so-called
‘Registration Authority (RA) station’ and obtain a ‘Enrollment Agent’ certificate. There are several ways to retrieve an
enrollment agent certificate, one of which is an enrollment agent certificate is requested and installed through Internet
Explorer.
Create an RA Station
2.4.1
These are the steps to create an RA station:
Install the drivers for your HID Crescendo card model as described in section 2.3. on the enrollment
1.
machine
Install all the necessary smart card reader drivers;
2.
Obtain an ‘enrollment agent’ certificate
3.
1
1 To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of
any user, including an enterprise administrator. After the smart card is created, you can use it to log on to the domain with the credentials of the user for which it was created. Thus, it is a
very sensitive role. The Enrollment Agent certificate gives administrators control over which user accounts can create enroll for smart cards. This, in combination with appropriate physical
security, can generate a great deal of confidence in the smart card generation process.