On a computer that has been connected to the Active Directory, open a command prompt window, and type “mmc”. This will open the Microsoft Management Console, where you will create a custom certificate request.
From the File menu, select Add/Remove snap-in, choose Certificates from the list of snap-ins on the left, and click Add. If you are asked who the snap-in will manage certificates for, select “My user account,” and click Finish. Then, click OK.
From within the Personal store, select Action, All Tasks, Advanced Operations, and then Create Custom Request. This will start the Certificate Enrollment wizard. Then click Next, Active Directory Enrollment Policy, and then Next.
The certificate template that you choose will determine what the certificate can be used for. For logging into Active Directory, select either Smartcard User or Smartcard Logon. Then, specify the CMC request format and click Next.
On the next screen, expand the details of the certificate request and click Properties. Here, there are several items that should be specified:
- In the General tab, give a friendly name
- In the Subject tab, enter the Full DN of the Active Directory user (for example: “CN=User,CN=Users,DC=example,DC=com”)
- In the Private Key tab, under Key Options, check the “Make private key exportable”, and select a key size of 1024
- Click OK, and then Next.
Next you will need to specify the location for the certificate request file. Click Browse and save it as an .req file, somewhere you will be able to find it easily, such as your Desktop.
From the command prompt, use the “cd” command to enter the directory where you saved the file. For example, the following command will get you to your desktop:
cd “%UserProfile%\Desktop”
Now you will need to submit the certificate request to your Active Directory Certificate Authority. To do this, run the following command, replacing “Request.req” with the name of your request file:
Certreq -Submit Request.req Request.cer
You will be shown a window listing the different certificate authorities that were found on your network. Select the appropriate CA, and click OK.
If Request.cer is created, you may skip to the next Certreq command.
On the Windows Server, open the Certificate Authority tool, and go to the Failed Requests section. From there, right-click on the failed request, and click on Issue under All Tasks. The certificate is now issued, but still needs to be given to the client.
Under Issued Certificates, right-click on the certificate you have just issued, and click Open. Next, click on “Copy to file” in the Details tab, and follow the wizard. Be sure to save the certificate where it can be accessed from the client computer.
Copy the new certificate file onto the client computer, in the same folder as the request file. Then, go back to the command prompt window, and run the following command, replacing “Request.cer” with the name of the certificate file:
Certreq -User -Accept Request.cer
This certificate should now be listed in the Microsoft Management Console in the Personal certificate store. From there, right-click on the certificate and select Export. Follow the Certificate Export wizard, making sure to export the private key.
When you have finished, you will have a PFX file that you may load onto your GoldKey. Refer to the “Loading Certificates onto a GoldKey” section in the manual for further instructions.
Note: Make sure that you load this certificate onto the first (Authentication) certificate slot. Otherwise, the certificate may not be recognized as valid for Active Directory login.