Certificate Propagation

The Certificate Propagation (CertPropSvc) service propagates certificates from smart cards to resources that request them. The Certification Propagation service applies when a user is logged-on and inserts a smart card into a reader that is attached to the computer. The certificates are read from the smart card and added to the user's personal store by the service.

If the Group Policy setting "Turn on root certificate propagation from smart card" is enabled, Root Certificates are also propagated to the machine root trust store. Root certificate propagation is responsible for the following specific smart card deployment scenarios, where public key infrastructure (PKI) trust has not yet been established:

  • Joining the domain
  • Accessing a network remotely

In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. The objective is to authenticate to a remote server (the domain controller or the RADIUS server), and root certificate propagation provides the ability to use the smart card to include the missing trust chain.

When a user inserts a smart card, the Certificate Propagation service copies any root certificates on the card to the Smart Card Trusted Roots certificate stores on the local computer. This process establishes a trust relationship with the organization.

This service is installed by default and its startup type is Manual. However, if you have deployed smart cards as part of your authentication policy, we recommend that you configure this setting with the Automatic startup type. When started in the default configuration it will log on using the Local System account.

The Certification Propagation service is dependent upon the following system components:

  • Remote Procedure Call (RPC)
  • DCOM Server Process Launcher
  • RPC Endpoint Mapper

Related content