1.5 Prerequisites/Preconditions

For One-Time Password Certificate Enrollment Protocol communication to begin, the prerequisite configuration is as follows:

1. The administrator sets up an OTP authentication solution from an OTP vendor that includes an OTP authentication server and hardware/software OTP tokens for end users.

2. The administrator establishes one or more implementation-specific<1> CA servers, configures a new, unique application-policy enhanced key usage (EKU) in Active Directory, and configures two certificate templates on it:

   1. A short-lived smart card logon certificate template.

   2. A signing certificate template with the new, unique application-policy EKU.

The CA server requires permissions to enroll certificates by using this certificate template. The administrator grants users read and enroll permissions to the short-lived smart card logon certificate template. The administrator grants the OTPCEP server enroll and auto enroll permissions to the signing certificate template.

In addition, configure the CA to verify that any short-lived smart card logon certificate request is signed by the signing certificate.