Re: Creating certs used for smartcard logon in windows

Kyle Hamilton Sat, 02 May 2009 13:48:35 -0700

Your openssl.cnf file contains [smart_cert], but you're calling to
request a section called [smart_card]?


-Kyle H

On Fri, May 1, 2009 at 12:50 PM, Nate B. <nate.br...@siemens.com> wrote:
>
> I'm new to openssl, and unfortunately I picked as a first challenge something
> that seems a bit more advanced, so I was hoping I might be able to get some
> help from the more experienced and knowledgeable folks on this board.
>
> I need to generate a certificate that can be used for windows logon with a
> smartcard, and having tried to follow about half a dozen different
> fragmentary forum threads, I am stuck with the following, not sure how to
> move forward.
>
> To my /etc/ssl/openssl.cnf file I added the following section:
>
> __________________________
> [smart_cert]
>
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, keyEncipherment
>
> subjectKeyIdentifier = hash
> authorityKeyIdentifier=keyid,issuer
>
> extendedKeyUsage=clientAuth,1.3.6.1.4.1.311.20.2.2
>
> 1.3.6.1.4.1.311.20.2 =
> DER:1E1C0053006D0061007200740063006100720064004C006F0067006F006E
> subjectAltName =
> DER:3021A01F060A2B060104018237140203A0110C0F7573657240646F6D61696E2E636F6D
>
> crlDistributionPoints = URI:http://192.168.57.100/cert/cert.crl
> __________________________
>
> I then run:
>
> openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout test.pem -out
> test.pem -reqexts smart_card
>
> openssl pkcs12 -export -out test.pfx -in test.pem -name "test certificate"
>
> Neither of these give any errors indicating that there was a problem with
> the [smart_card] section of my openssl.cnf.  Unfortunately, my smart card
> tells me that this certificate does not have the ability to logon.
>
> What am I missing here?  Or am I completely offtrack?
>
> Thank you very much,
>
> Nate B.
> --
> View this message in context: 
> http://www.nabble.com/Creating-certs-used-for-smartcard-logon-in-windows-tp23338745p23338745.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: Creating certs used for smartcard logon in windows

Reply via email to