Well the story is pretty long, so I start from the beginning
Microsoft Knowledge Base Q291010 defines the requirements a DC
certificate must have in order to be able to authenticate smartcard
logon users. One of them is that key pair must be genarated using
RSA/Schannel CSP. The most simple way for doing this is to install
Microsoft CA services and to issue a certificate request using a form,
where You can choose this CSP and generate a key pair and certificate
request in PKCS#10 format.
Then you need to create a role for DC certificate because of specific
extensions it must have. The first is the subjecAltName extension that
has to have other name = GUID of DC and DNS name = DNS name of DC. Since
I have already installed Microsoft CA services, it has generated DC
certificate, so the most simple thing for me was to export it to OpenCA
machine and parse it with openssl asn1parse utility (I'll send you a
detail description if you need) to get a DER formatted subjectAltName.
Then I did a hex dump of this DER file and put the result after the
"subjectAltName=DER:" in ext file of newly created role. The second is
the Certificate Template extension that is specific to Microsoft and
unknown to openssl so I didi the same thing with asn1parse and put the
result after the "1.3.6.1.4.1.311.20.2=DER:" in ext file
(1.3.6.1.4.1.311.20.2 is the OID of Certificate Template extension). You
can just use this (but subjectAltName is specific to You so use
asn1parse):
keyUsage = digitalSignature, keyEncipherment
# extended Key Usage
extendedKeyUsage = clientAuth, serverAuth
# Certificate Template "DomainController" (bmp string)
1.3.6.1.4.1.311.20.2=DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43
:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
That is it.
Next, you have to generate a smartcard user certificate that also must
have some specifics (so new role again). Beside the "CRL Distribution
Points" extension that is standard, the "Enhanced Key Usage" extension
must contain Cleint Authentication and Smartcard Logon. So you have to
put something like
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2,
1.3.6.1.5.5.7.3.4
Where 1.3.6.1.4.1.311.20.2.2 is the OID of SmartCard logon, and
1.3.6.1.5.5.7.3.4 is the OID of SecureMail (if you want to use this
certificate for Secure mail too).
Certificate Template extension must have a value "SmartcardUser" or
"SmartcardLogon (again, with SmartcardUser you can also use the
certificate for SecureMail). You can use the this:
keyUsage = digitalSignature, keyEncipherment
# Certificate template "SmartcardUser" (bmp string)
1.3.6.1.4.1.311.20.2=DER:1e:1a:00:53:00:6d:00:61:00:72:00:74:00:63:00:61
:00:72:00:64:00:55:00:73:00:65:00:72
# Enhanced Key usage (clientAuth, SmartcardLogon, secureMail)
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.5.7.3.4
And the last thing, subjectAltName extension must have other name =
Principal name = user_principal_name (for example [EMAIL PROTECTED]). To
be able to issue the certificates to different smartcard users without
the need to create the extension for each, I have used the OpenCA
possibility to automatically set user email in subjectAltName (but in
this case you have to use [EMAIL PROTECTED] as user email, not
[EMAIL PROTECTED] because this is not the principal name). Then I
put next in smartcard user ext file:
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${ENV::subjectAltNa
me}
where 1.3.6.1.4.1.311.20.2.3 is Principal Name OID. Remember that is
works only with openssl version 0.9.8 (you can download a snapshot of
0.9.8-dev version and use it)
The last problem is that OpenCA automatically adds the word "email:"
before the actual email address. To eliminate this I have been told to
remove it in:
$OPENCA_PREFIX/lib/functions/crypto-utils.lib
Replace
$ENV{'subjectAltName'} =
"email:".$req->getParsed()->{DN_HASH}->{EMAILADDRESS}[0];
with $ENV{'subjectAltName'} =
$req->getParsed()->{DN_HASH}->{EMAILADDRESS}[0];
I have not tested it yet!!
I hope this could help you, feel free to contact me
Regards
Dejan Gambin
-----Original Message-----
From: Sion Camilleri [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 10:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Smartcard Logon to Windows 2000 domain using
OpenCA certification authority
Hi Gambin,
Could you please tell me how you managed to do use OpenCA instead. Id be
interested to see an example of what the certificate looks like, etc. if
thats all right.
Gambin Dejan wrote:
> I am using OpenCA 0.9.1 and I have resolved my problem. If You are
> interested in details, let me know
>
> Regards
>
> Dejan Gambin
>
> -----Original Message-----
> From: Chris Covell [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 21, 2003 4:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Openca-Users] Smartcard Logon to Windows 2000 domain
> using OpenCA certification authority
>
> Hello there,
>
> I have not read the MicroSoft specs, but I know that certificates we
> issue from OpenCA are being used to logon to a Win2K domain.
>
> > 1. It must have the subject alternative name extension with other
> > name
>
> > = principal name = prinicpal_name_of_the _user (for example
> > [EMAIL PROTECTED]). 2. It must have a specific "Certificate
> > template" extension with bmp value "SmartcardUser" (or
> > "SmartcardLogon").
> >
>
> The interesting thing is that certs I am issuing from 0.9.0-1 have an
> extended key usage field with a value of "Smart Card Logon
> (1.3.6.1.4.1.311.20.2.2)"
> and the email in the Subject Alt Name, as you describe above.
>
> I have noticed that the extended key usage is an additional field in
> the
>
> 0.9.1-1 ext files. What version of OpenCA are you using ?
>
> Chris...
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations Here's your
> chance to show off your extensive product knowledge We want to know
> what you know. Tell us and you have a chance to win $100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Openca-Users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/openca-users
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations Here's your
> chance to show off your extensive product knowledge We want to know
> what you know. Tell us and you have a chance to win $100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Openca-Users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations Here's your
chance to show off your extensive product knowledge We want to know what
you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
