Well the story is pretty long, so I start from the beginning
Microsoft Knowledge Base Q291010 defines the requirements a DC
certificate must have in order to be able to authenticate smartcard
logon users. One of them is that key pair must be genarated using
RSA/Schannel CSP. The most simple way for doing this is to install
Microsoft CA services and to issue a certificate request using a form,
where You can choose this CSP and generate a key pair and certificate
request in PKCS#10 format.
Then you need to create a role for DC certificate because of specific
extensions it must have. The first is the subjecAltName extension that
has to have other name = GUID of DC and DNS name = DNS name of DC. Since
I have already installed Microsoft CA services, it has generated DC
certificate, so the most simple thing for me was to export it to OpenCA
machine and parse it with openssl asn1parse utility (I'll send you a
detail description if you need) to get a DER formatted subjectAltName.
Then I did a hex dump of this DER file and put the result after the
"subjectAltName=DER:" in ext file of newly created role. The second is
the Certificate Template extension that is specific to Microsoft and
unknown to openssl so I didi the same thing with asn1parse and put the
result after the "1.3.6.1.4.1.311.20.2=DER:" in ext file
(1.3.6.1.4.1.311.20.2 is the OID of Certificate Template extension). You
can just use this (but subjectAltName is specific to You so use
asn1parse):
keyUsage = digitalSignature, keyEncipherment
# extended Key Usage
extendedKeyUsage = clientAuth, serverAuth
# Certificate Template "DomainController" (bmp string)
1.3.6.1.4.1.311.20.2=DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43
:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
That is it.
Next, you have to generate a smartcard user certificate that also must
have some specifics (so new role again). Beside the "CRL Distribution
Points" extension that is standard, the "Enhanced Key Usage" extension
must contain Cleint Authentication and Smartcard Logon. So you have to
put something like
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2,
1.3.6.1.5.5.7.3.4 Where 1.3.6.1.4.1.311.20.2.2 is the OID of SmartCard
logon, and 1.3.6.1.5.5.7.3.4 is the OID of SecureMail (if you want to
use this certificate for Secure mail too). Certificate Template
extension must have a value "SmartcardUser" or "SmartcardLogon (again,
with SmartcardUser you can also use the certificate for SecureMail). You
can use the this:
keyUsage = digitalSignature, keyEncipherment
# Certificate template "SmartcardUser" (bmp string)
1.3.6.1.4.1.311.20.2=DER:1e:1a:00:53:00:6d:00:61:00:72:00:74:00:63:00:61
:00:72:00:64:00:55:00:73:00:65:00:72
# Enhanced Key usage (clientAuth, SmartcardLogon, secureMail)
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.5.7.3.4
And the last thing, subjectAltName extension must have other name =
Principal name = user_principal_name (for example [EMAIL PROTECTED]). To
be able to issue the certificates to different smartcard users without
the need to create the extension for each, I have used the OpenCA
possibility to automatically set user email in subjectAltName (but in
this case you have to use [EMAIL PROTECTED] as user email, not
[EMAIL PROTECTED] because this is not the principal name). Then I
put next in smartcard user ext file:
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${ENV::subjectAltNa
me}
where 1.3.6.1.4.1.311.20.2.3 is Principal Name OID. Remember that is
works only with openssl version 0.9.8 (you can download a snapshot of
0.9.8-dev version and use it)
The last problem is that OpenCA automatically adds the word "email:"
before the actual email address. To eliminate this I have been told to
remove it in:
$OPENCA_PREFIX/lib/functions/crypto-utils.lib
Replace
$ENV{'subjectAltName'} =
"email:".$req->getParsed()->{DN_HASH}->{EMAILADDRESS}[0];
with $ENV{'subjectAltName'} =
$req->getParsed()->{DN_HASH}->{EMAILADDRESS}[0];
I have not tested it yet!!
I hope this could help you, feel free to contact me
Regards
Dejan Gambin
-----Original Message-----
From: Chris Covell [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 12:41 PM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Smartcard Logon to Windows 2000 domain using
OpenCA certification authority
Hello there,
On Wednesday 22 October 2003 05:51, Gambin Dejan wrote:
> I am using OpenCA 0.9.1 and I have resolved my problem. If You are
> interested in details, let me know
>
Yes, please can you send details.
Many thanks.
Chris...
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations Here's your
chance to show off your extensive product knowledge We want to know what
you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
