My use of [smart_card] was a mis-transcription. I am in fact requesting the section [smart_cert]. The machine I'm running openssl on is not networked, so I figured it was just quicker to transcribe. That'll show me :P
Something interesting I noticed, it shows under Internet Options -> Content -> Certificates -> Intended Purpose = Smart Card Logon, that my cert is capable of this (actually, it says "<All>"). Under my smart card suite (where I was initially looking) though, it says that Logon is not enabled. Is that at all significant? Thanks in advance for any advice, -Nate B. wolfoftheair wrote: > > Your openssl.cnf file contains [smart_cert], but you're calling to > request a section called [smart_card]? > > -Kyle H > > On Fri, May 1, 2009 at 12:50 PM, Nate B. <nate.br...@siemens.com> wrote: >> >> I'm new to openssl, and unfortunately I picked as a first challenge >> something >> that seems a bit more advanced, so I was hoping I might be able to get >> some >> help from the more experienced and knowledgeable folks on this board. >> >> I need to generate a certificate that can be used for windows logon with >> a >> smartcard, and having tried to follow about half a dozen different >> fragmentary forum threads, I am stuck with the following, not sure how to >> move forward. >> >> To my /etc/ssl/openssl.cnf file I added the following section: >> >> __________________________ >> [smart_cert] >> >> basicConstraints=CA:FALSE >> keyUsage = digitalSignature, keyEncipherment >> >> subjectKeyIdentifier = hash >> authorityKeyIdentifier=keyid,issuer >> >> extendedKeyUsage=clientAuth,1.3.6.1.4.1.311.20.2.2 >> >> 1.3.6.1.4.1.311.20.2 = >> DER:1E1C0053006D0061007200740063006100720064004C006F0067006F006E >> subjectAltName = >> DER:3021A01F060A2B060104018237140203A0110C0F7573657240646F6D61696E2E636F6D >> >> crlDistributionPoints = URI:http://192.168.57.100/cert/cert.crl >> __________________________ >> >> I then run: >> >> openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout test.pem -out >> test.pem -reqexts smart_card >> >> openssl pkcs12 -export -out test.pfx -in test.pem -name "test >> certificate" >> >> Neither of these give any errors indicating that there was a problem with >> the [smart_card] section of my openssl.cnf. Unfortunately, my smart card >> tells me that this certificate does not have the ability to logon. >> >> What am I missing here? Or am I completely offtrack? >> >> Thank you very much, >> >> Nate B. >> -- >> View this message in context: >> http://www.nabble.com/Creating-certs-used-for-smartcard-logon-in-windows-tp23338745p23338745.html >> Sent from the OpenSSL - User mailing list archive at Nabble.com. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://www.nabble.com/Creating-certs-used-for-smartcard-logon-in-windows-tp23338745p23366702.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
