When a Root CA with Subordinates is created, smart card authentication and the "m of n" rule with permission level of 00000001 needs to be used. Because issuing certificates for subordinate CAs is not an automated task, smart card authentication allows higher level of security to be achieved.
For subordinate CAs, where certificates are issued automatically, the credentials will have to be stored in the .cng configuration file and Crypto Users with permission level of 00000002 will have to be created. Use encrypted passwords. For this guide, a user with permission level of 00000002, CXI Group "CngCa1" and HMAC password will be created.
Figure 2: Creating a Crypto User
Based on your requirement, the user can use Password (HMAC), Smart Card or KeyFile protection type. If you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.