Hello,
I would like to explain and share with you my problems regarding Smartcard logon to Windows 2000 domain using OpenCA.
There is a document in Microsoft knowledge base defining the requirements a Domain Controller (DC) has to have to be able to accept smartcard users logon to domain. The problem is that DC certificate must have some specific extensions and/or their values, the most important are:
1. A DC certificate must have the subject alternative name extension with other name=GUID of CD and DNS name=DNS name of DC. 2. It must have a specific "Certificate template" extension with bmp value "DomainController"
Now, the problem is that I didn't know how to incorporate it in OpenCA ext file, so I had to use ASN.1 OIDS for this. I have exported a DC certificate issued by Microsoft CA, parsed it with asn1parse utility and exported the required extension into DER file. Then I did a hex dump of the DER file and copied the result in the OpenCA ext file after the:subjectAltName=DER: and 1.3.6.1.4.1.311.20.2=DER: (the last is the OID of certificate template extension)
The second and bigger problem is in issuing the certificate for the smartcard user. This certificate is also specific:
1. It must have the subject alternative name extension with other name = principal name = prinicpal_name_of_the _user (for example [EMAIL PROTECTED]). 2. It must have a specific "Certificate template" extension with bmp value "SmartcardUser" (or "SmartcardLogon").
I have solved this problem in a similar way to the one described above, but the problem remains: How can I automate this for issuing certificates to many different users? Obviously, something has tobe done on OpenCA side to simplify this such that administrator can choose the Domain user and generate a certificate from him. Since OpenCA uses LDAP, there must be some kind of integration between LDAP and Active Directory, and subjectAltName parameter in OpenCA ext file has to be filled automatically with the principal name of the chosen user.
I would like to know is there anyone who has been playing with this and maybe solved the problem in some practical manner? Is there any plans or acitivities for doing it in the future?
We had the same problem over one year ago. The result was that we developed a patch for OpenSSL and tested it together with France Telecom. The patch is available via my OpenCA area (ftp://ftp.openca.org/pub/openca/developers/bell/). The patch is only designed for string inclusions which are needed for Smartcard certificates (means only stringvalues can be handled).
Does this help you a little bit?
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
