Buy smart cards and log in via them on Windows 10 and Windows Server 2016 - Windows Server - Tutorials

If you need strong authentication in your company, you will need card readers and smart cards (in which you will write your users' certificates).
Thus, for example, they will be able to connect to a client PC using their smart card and the associated PIN code.

However, before ordering your equipment, it will be essential to find out which card readers and which smart cards to buy.
Indeed, not all smart cards support the storage of certificates.

1. Where to buy smart cards ?

To order compatible smart cards and smart card readers, we recommend that you go to Cardelya.
Indeed, it's a French company that agrees to sell products to companies, but also to individuals.

If you are a geek and don't own a company, then you can also order without problems on this site.
Nevertheless, pay attention to the prices, because these are displayed excluding VAT since these products are intended mainly for professionals. As an individual, you will also have to pay the associated VAT (if you live in the EU).

As you can see in the "Nos solutions -> Authentification forte -> Infrastructure à clés publique - PKI" section of the Cardelya website, you will see that Cardelya can help you in the implementation of your public key infrastructure (PKI) by allowing you to authenticate your users using smart cards.

If you go to the "Nos produits" section, you will see that Cardelya can provide you with different IT security products :

Smart cards : smart cards containing data or certificates (if applicable)
Card readers : to read and use your smart cards
HSM - HSE : to generate, store and protect your encryption keys in a secure way
Software : software allowing you to use and/or manage your smart cards
and more

On the right, you will also see that Cardelya allows you to order their products online through their e-shop.

Important : Cardelya is only the showcase site for this company.
Purchases are managed through their official e-shop "scardshop.com". The products are therefore more up to date on the e-shop than on the Cardelya showcase site.

The Cardelya e-shop is accessible via the "scardshop.com" domain.

As you can see, this e-shop allows you to buy several types of products, including the "microprocessor card" smart cards that you will need for strong authentication via your PKI infrastructure.

If you click on the "Qui sommes-nous ?" located at the bottom of this e-shop, you will see that this site is Cardelya's sales site.
The 2 sites are therefore managed by the same company.

If you go to the "Cardelya -> Marques partenaires" section of the Cardelya website, you will see that Cardelya works with several partners, including :

Gemalto (which has since become Thales) : provides the smart cards you will need
HID Global : provides the compatible card reader that we will used you in this tutorial

If you have any questions about Cardelya products and/or your needs, please don't hesitate to contact Cardelya by telephone on the number : +33 (0)2 99 00 30 83.
Their contact details are available in the "Contact" section of their site.

If you prefer to contact them by e-mail, contact :

Typhaine VANNIER at "typhaine.vannier[AT]cardelya.fr" for technical questions
Noémie MESSAGER at "noemie.messager[AT]cardelya.fr" for administrative or commercial questions

Note : don't forget to replace "[AT]" by "@" in the e-mail addresses mentioned above.

Important : you need to speak French. So, use Google Translate, if needed.

2. Which smart cards to choose ?

To get started, go to the "scardshop.com" e-shop.

If you go to "Cartes à puce" (Smart cards), you will see that many types of cards are offered.
Indeed, you can use contact chip cards (cards similar to your bank card with a chip), RFID cards (contactless cards), ...

To be able to enroll certificates through your Microsoft PKI infrastructure, you will need to use microprocessor cards.

Warning : the memory cards in the "Cartes à puce contact" (Contact smart cards) section DO NOT allow certificates to be stored.
These are only programmable cards in which you can manually store data.

As you can see, the smart cards available in the "Cartes à puce -> Cartes à puce contact -> Cartes microprocesseur" section of this e-shop are provided by THALES (formerly GEMALTO) and correspond to your PKI needs.
Thanks to these smart cards, you will be able to benefit from strong authentication in your company.

As you can see, there are different versions of these smart cards.

What mainly changes are :

the chip that is used on these smart cards
the size of the storage space available on it
the level of security supported

For this tutorial, we purchased the "THALES IDPrime MD940" smart card (which is the most recent version available on this e-shop).

If you are unsure which chip to choose, choose the one with the highest number.
Indeed, this indicates that it's the most recent version.

If the "THALES IDPrime MD940" smart card is no longer available when you follow this tutorial, we recommend that you use a more recent "THALES IDPrime MDxxx" card.
Indeed, the mention "MD" in the model of this "THALES IDPrime" smart card indicates that it can work with Microsoft Windows Minidriver (which simplifies integration into your Microsoft Windows environment).

The most important thing for this smart card to work with your PKI infrastructure is that it supports the ISO 7816 interface.
Indeed, this means that you can register a certificate on it.

Sources :

As you can see on the sheet below, this smart card has a memory size of 400 KB.
Which is more than enough.
Indeed, a certificate using a 1024-bit key will occupy approximately 2.5 KB of space in your smart card.
The rest of your memory card storage space contains :

its operating system : 16 Ko
its provider's applications, such as CSP : 8 Ko
its folder structure : 4 Ko

Note that the larger the key size used for your certificate, the more secure it will be.
However, a 1024-bit key is sufficient (according to Microsoft) to secure remote access or Administrator accounts.
Also, the larger the key size, the longer the login process will take.

Source : Smart card evaluation - Microsoft Docs.

At the bottom of each sheet, you will often find the documentation related to the product concerned.

In this documentation, you will see that THALES indicates that SafeNet IDPrime smart cards are designed for PKI-based applications and that the SafeNet minidriver offers perfect integration with Microsoft's native support (on Windows 10).
Thanks to the minidriver, smart card manufacturers can use Microsoft's native support and in particular use the encryption provider : Smart Card Base Cryptographic Service Provider (CSP).

Sources :

If you have very specific needs or want to check the compatibility of this smart card with your PKI infrastructure, you will be able to obtain all the information you want on it in the rest of this very complete PDF file.
As expected, for this "THALES IDPrime MD940" smart card, we find the important informations :

the name of the smart card : SafeNet IDPrime 940
the standards it supports : BaseCSP minidriver (SafeNet minidriver) and ISO 7816 (support for enrolling certificates on the smart card)

3. Which card reader to choose ?

Now that you know which contact smart cards to buy, it's important to buy a smart card reader compatible with them in order to read and use them.
To do this, go to the "Lecteurs de carte à puce -> Lecteurs carte contact" section of this "scardshop" e-shop.

In this section, you will find several card readers provided by different manufacturers.

In our case, we have chosen the "HID OMNIKEY 3121" smart card reader.
As you can see, it's a "PC/SC" (Personal computer/Smart Card) smart card reader.

In its description, you will see that it again supports this "PC/SC" standard and that it can notably read smart cards compatible with the ISO 7816 interface.
Note that this card reader can read all "ISO 7816" smart cards (regardless of the chip used on your smart cards).

As confirmed by Typhaine VANNIER working at Cardelya, this "HID OMNIKEY 3121" card reader can read all smart cards using the "ISO7816" interface (regardless of the chip used : MD940, MD930, ...) .

As you can see on the "Smart Card Architecture" page of the official Microsoft documentation, Microsoft supports smart card readers using the "Personal Computer/Smart Card" (PC/SC) standard.