Grrr - and I find the answer within minutes of sending this! As always, the hardest part with using Google is to find the right words to search for.
Anyway, Microsoft have whitepapers on using 3rd-party CAs for smartcards, and so using certutil I was able to initialize our AD so that it would work with smartcards. I also found the cert extension needed - "1.3.6.1.4.1.311.20.2.2" is for smartcards. i.e. add "1.3.6.1.4.1.311.20.2.2" to extendedKeyUsage during cert creation. There is also evidence you need to ensure the CN string matches the AD "Display Name" field. However, these whitepapers also state the Domain Controllers need very special certificates installed before they will actually allow themselves to be involved with smartcard login attempts. They contain some quite weird-ass extendedkeys and "BMP data", and the Subject Alternate Name needs to include the AD GUID of each DC! Such specific attributes would take an age for us to build into our existing PKI processes - we have over 40 DCs today and I don't look forward to fiddling with certs on them all just to test smartcard access :-( Links: http://support.microsoft.com/kb/281245 http://support.microsoft.com/kb/295663/ http://support.microsoft.com/kb/291010/ Jason Jason Haar wrote: > Hi there > > I'm evaluating eTokens for secure cert storage and along with other > aspects was looking at the ability for Windows domains to use smartcards > to control login access. Aladdin eToken documentation explicitly states > you have to use a Microsoft CA to generate certs that can be used for > smartcard access. However, we have a OpenSSL based PKI and I want to use > that instead. > > I'm guessing all I need is to insert each users pubkey into their AD > accounts "Published Certificates" tab, but when I try to login I get a > generic error. So I'm guessing there are cert extensions that AD's > "smartcard" control looks for. > > Any ideas what they are (or am I totally off-track?) > > Thanks! > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
