“Certificate Propagation Service” is a critical service. The certificate propagation service applies when a logged-on user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user’s Personal store. It also allows Smart Cards to supply trustworthy root certificates which, among other uses, can be used as a method of logon .The Windows Smart Card Framework requires that the following critical services are running when a smart card is inserted in the reader:
- Certificate Propagation service
- Smart Card service
“Root certificate propagation service”: Root certificate propagation is responsible for specific smart card deployment scenarios where public key infrastructure (PKI) trust has not yet been established:
· Joining the domain
· Accessing a network remotely
In both cases, the computer is not joined to a domain and, therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller or the RADIUS server. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
On smart card insertion, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise. You may also use a subsequent cleanup action when the user’s smart card is removed from the reader, or when the user logs off.