Microsoft’s Certificate Authority (CA) is a great tool for implementing PKI and smartcards. Quite easy (for small deployments) too, with Windows 2003’s support for auto enrolment of the cards it can assist with taking a lot of the management away aswell and consequently a significant portion of the deployment cost. It’s quite simple to install and setup though make sure you plan appropriately for this in an enterprise deployment. One area particularly you need to watch out for though is the “Enrolment Agent” permission within the CA…why? Because with this permission I can easily become you. Within the web based management tool (as an Enrolment Agent) I can enrol a smartcard on behalf of another user, any user. It’s handy for manually enrolling users, but offers no granularity on which users, including the domain administrator account. Thus this function should only be given to the trusted service administrator not the delegated admins on the helpdesk.