What is your smart card suite? You might wish to consult the documentation that came with it to figure out what it interprets as 'logon enabled'. Usually the CA must be in the machine's (not the user's) trust store, it must have "smart card authentication" or "smart card logon" set as an intended and accepted purpose, the subjectAlternativeName must match a Windows account (or a domain account, in which case the CA must be included in the domain's certificate store), and the issuerName must match the name of the certificate that issued it. Your original openssl.cnf included a subjectAlternativeName that was specifically DER-encoded, and I haven't tried to decode it manually as yet.
I'd suggest reading http://technet.microsoft.com/en-us/library/dd277386.aspx if you haven't already. Its documentation is very Windows 2000 Certificate Services centric, but it does go into information on what certificate attributes are needed. -Kyle H On Mon, May 4, 2009 at 4:49 AM, Nate B. <nate.br...@siemens.com> wrote: > > My use of [smart_card] was a mis-transcription. I am in fact requesting the > section [smart_cert]. The machine I'm running openssl on is not networked, > so I figured it was just quicker to transcribe. That'll show me :P > > Something interesting I noticed, it shows under Internet Options -> Content > -> Certificates -> Intended Purpose = Smart Card Logon, that my cert is > capable of this (actually, it says "<All>"). Under my smart card suite > (where I was initially looking) though, it says that Logon is not enabled. > Is that at all significant? > > Thanks in advance for any advice, > > -Nate B. > > > wolfoftheair wrote: >> >> Your openssl.cnf file contains [smart_cert], but you're calling to >> request a section called [smart_card]? >> >> -Kyle H >> >> On Fri, May 1, 2009 at 12:50 PM, Nate B. <nate.br...@siemens.com> wrote: >>> >>> I'm new to openssl, and unfortunately I picked as a first challenge >>> something >>> that seems a bit more advanced, so I was hoping I might be able to get >>> some >>> help from the more experienced and knowledgeable folks on this board. >>> >>> I need to generate a certificate that can be used for windows logon with >>> a >>> smartcard, and having tried to follow about half a dozen different >>> fragmentary forum threads, I am stuck with the following, not sure how to >>> move forward. >>> >>> To my /etc/ssl/openssl.cnf file I added the following section: >>> >>> __________________________ >>> [smart_cert] >>> >>> basicConstraints=CA:FALSE >>> keyUsage = digitalSignature, keyEncipherment >>> >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier=keyid,issuer >>> >>> extendedKeyUsage=clientAuth,1.3.6.1.4.1.311.20.2.2 >>> >>> 1.3.6.1.4.1.311.20.2 = >>> DER:1E1C0053006D0061007200740063006100720064004C006F0067006F006E >>> subjectAltName = >>> DER:3021A01F060A2B060104018237140203A0110C0F7573657240646F6D61696E2E636F6D >>> >>> crlDistributionPoints = URI:http://192.168.57.100/cert/cert.crl >>> __________________________ >>> >>> I then run: >>> >>> openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout test.pem -out >>> test.pem -reqexts smart_card >>> >>> openssl pkcs12 -export -out test.pfx -in test.pem -name "test >>> certificate" >>> >>> Neither of these give any errors indicating that there was a problem with >>> the [smart_card] section of my openssl.cnf. Unfortunately, my smart card >>> tells me that this certificate does not have the ability to logon. >>> >>> What am I missing here? Or am I completely offtrack? >>> >>> Thank you very much, >>> >>> Nate B. >>> -- >>> View this message in context: >>> http://www.nabble.com/Creating-certs-used-for-smartcard-logon-in-windows-tp23338745p23338745.html >>> Sent from the OpenSSL - User mailing list archive at Nabble.com. >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> >> > > -- > View this message in context: > http://www.nabble.com/Creating-certs-used-for-smartcard-logon-in-windows-tp23338745p23366702.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
