Add third party CA in Active Directory to enable smart card logon

If you want to be able to use a smartcard issued by a third pary CA to logon to your Active Directory there are a few steps you have to do.

  1. You have to tell Active Directory to trust the root certificate.
  2. If you want it to work out of the box there has to be a “smartcard logon” certificate on your smartcard with an UPN.
  3. An account that corresponds to the UPN above is needed in Active Directory

BY DOING THE STEPS BELOW YOU PUT DOMAIN ADMIN RIGHTS IN THE HANDS OF THE OWNER OF THE THIRD PARTY CA

  1. Start cmd.exe as Enterprise Admin on a i.e Win 7
  2. Go to the folder where the root certificate is saved
  3. Run certutil -f -dspublish Third Party CA.cer RootCA
  4. Run certutil -f -dspublish Third party CA.cer NTAuthCA
  5. Verify in MMC –  Enterprise PKI
  6. Now make sure you have a certificate from the above CA and an account in Active Directory thats corresponds to the UPN on your smartcard certificate.
  7. Verify by logging on
This entry was posted in Active Directory, PKI and tagged , , . Bookmark the permalink.