Appterix
Menu
Skip to main content
How can we help?
Table of Contents
<All topics
Print

Using custom certificate templates for Appterix YubiKey Enrollment

Enrolling certificates on YubiKeys for the PIV function can be time-consuming and error-prone. Often, either no certificate templates for smartcard logon to Windows exist, or users cannot execute them themselves for certificate enrollment on their YubiKey.

Appterix offers the ability to automatically generate PKI certificates. Administrators determine whether Appterix should create the certificate templates or use existing smartcard logon and enrollment agent templates. Users receive a pop-up notification or can create and renew certificates based on these templates using YubiKey enrollment within the Appterix agent. This article describes the requirements that your Active Directory certificate services' own certificate templates must meet for enrollment with Appterix.

Note regarding the crypto service provider

Appterix supports certificate templates using Key Storage Providers (KSPs). Legacy Crypto Service Providers (CSPs) are not supported.

Switching from a legacy Crypto Service Provider (CSP) to a Key Storage Provider (KSP) is a crucial step if you want to take advantage of modern security features such as TPM protection or elliptic curves.

With the "Enrollment Agent" template, this is somewhat hidden when duplicating, as the compatibility settings determine which options are enabled in the "Cryptography" tab.

Provider category configuration

Here you will find step-by-step instructions for changing the provider category:

Adjust compatibility settings:

This is the most important step. If compatibility is set to "Windows Server 2003", the console will only allow the older CSPs.
Right-click the Registration Agent template and select Duplicate Template.
Switch to the Compatibility tab.
Set the certification authority to at least Windows Server 2012 (or higher).
Also set the certificate recipient to at least Windows 8 / Windows Server 2012.
Confirm the warning message regarding the changes with "OK".

Switch provider category to KSP:

Switch to the Cryptography tab.
Open the dropdown menu under Provider Category.
Select Key Storage Provider there.
In the field below, select the desired algorithm (usually RSA or ECDH_P256, depending on the requirements).
In the list of providers, you can now select specific KSPs, such as the Microsoft Software Key Storage Provider.



Important note: Ensure that the clients intended to use this template (i.e., the administrators' workstations requesting certificates on their behalf) actually support the selected Windows version. Older systems (such as Windows 7) cannot handle KSP-based templates.

Further configurations of the Appterix Smartcard Logon template

Published
Updated
FromEgoMind