Menu
▾
▴
Re: [Opensc-devel] Active Directory Certificate Services enrollment problems
|
From: Kenneth B. <pho...@gm...> - 2015-10-03 17:02:04
|
One thing I've noticed from other drivers/programs using certs being put on cards is they almost always want it in the der internal format. If the cert you put an the card was pem format, it might not be being read correctly. A possibility? Kenneth Benson On 10/3/2015 3:04 AM, Vincent Le Toux wrote: > @Douglas, are you sure that the certificate request was to be stored as > a computer account ? > > Well copy/paste the output of certutil -scinfo will help a lot. > The message "couldn't find any valid certificates" means that the > minidriver couldn't find a certificate associated to a public/key pair. > That could mean that the certificate wasn't properly saved to the smart > card (wrong reference / id / label). > Then if the certificate / subject is wrong, it will fail later with a > more meaningful error message. > > Note: you can check the OpenSSL request by renaming the file to .cer and > double click on it on Windows or within OpenSSL itself. > > Note about computer accounts: > When a certificate is used by the computer account (opposed to the user > account), it is stored in the computer certificate store (mmc-> > certificate-> computer store) > Inside the certificate properties, you have a reference to the CSP/KSP > (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it > makes the link with the smart card (the gray key icon) > However most of the applications (like IIS) won't work with smart card > certificates because they can't issue a dialog to enter the PIN => the > PIN needs to be set in a configuration file and the application designed > for that. > > regards, > Vincent > > 2015-10-03 0:15 GMT+02:00 Douglas E Engert <dee...@gm... > <mailto:dee...@gm...>>: > > I have only created certificates for users on the card. > > So you are trying to place a server certificate on the card? > Is this server certificate to be used for a Windows service of some > kind, or > a something like a web server on linux? > > If you have a server with a certificate which is now in software, > dump the certificate and look at the extensions > Microsoft uses in its server certificates. > > The Microsoft CA has templates for creating certificates that can > add some of the extensions. > IIRC, the template can also copy some of the extensions from the > request. > > I don't have an AD CA environment any more, so can not test much. > > I would use a special openssl.conf that would be run through "sed" > that contained: > > req_extensions = v3_req@@TYPE@@ # The extensions to add to a > certificate request > commonName = @@CN@@ > > [ v3_req9A ] > > # Extensions to add to a certificate request for login > > #basicConstraints = CA:FALSE > #keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName=otherName:msUPN;UTF8:@@UPN@@ > > [ v3_req9D ] > # Extensions to add to a certificate request for encrypt > #basicConstraints = CA:FALSE > keyUsage = critical, keyEncipherment > subjectAltName=email:@@EMAIL@@ > > [ v3_req9C ] > # Extensions to add to a certificate request for signed email > #basicConstraints = CA:FALSE > keyUsage = critical, nonRepudiation, digitalSignature > subjectAltName=email:@@EMAIL@@ > > > sed was used from a script to replace the @@XX@@ with values to be > in the new cert. > @@TYPE@@ would be 9A, 9C or 9D that matched the 3 keys used on a > PIV card > and thus selected one of the v3_reqXX to get the extensions and > values set for type of certificate. > > When using certutil each user has their own store. A server > certificate would be in some system store, > not sure where. > > Do the OpenSC tools show a certificate on the card? > > > On 10/2/2015 3:23 PM, Matt Campbell wrote: > > Hi Douglas, > > > > Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find > > any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong? > > > > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 > > > > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert > <dee...@gm... <mailto:dee...@gm...> > <mailto:dee...@gm... <mailto:dee...@gm...>>> wrote: > > > > An alternative way to do this until the minidriver can handle > writing to a card: > > (1) generate private key on card > > (2) Uses openssl and engine_pkcs11 to generate a > certificate request in PEM format > > (3) cut-and-paste request into the AD CA web page to > request certificate. > > (4) Save certificate from the CA. > > (5) write the certificate to the card. > > > > One of the last tings I did before retiring was to setup a > proof-of-concept system to issue > > temporary cards for uses who either are waiting for an > official PIV card or forgot their card at home. > > > > Steps 1, 2 and 5 were done on a virtual Linux system running > under Windows along with other card management steps. > > > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > > Step 3 also requires an CA template that added the Windows > smartcard login extension. > > > > Check if step 2 could be done by the sc-hsm-tool. > > > > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > > Dear Matt, > > > > > > Windows is right, the minidriver is currently a read-only > driver. > > > > > > The minidriver is currently enhanced with EC support and the > > > authentication mechanism have changed. See [1] for details. > > > > > > I suggest you try an older version of OpenSC or track the latest > > > development in the pull request. > > > > > > Would be great if you could supply logs while you test. > > > > > > Andreas > > > > > > [1]https://github.com/OpenSC/OpenSC/pull/566 > > > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > > >> When I attempt to enroll a user for a smart card login > certificate, Windows > > >> tells me that the smart card is read-only[1]. I'm running > Windows Server > > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a > Smartcard-HSM card and > > >> Identiv/SCM Microsystems SCR331 card reader. I've > initialized it per the > > >> instructions on the GitHub wiki. Any help is appreciated. > > >> > > >> [1]http://i.coreduo.me.uk/U4FuFqe.png > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > > >> > > >> > > >> > > >> _______________________________________________ > > >> Opensc-devel mailing list > > >>Ope...@li... > <mailto:Ope...@li...> > <mailto:Ope...@li... > <mailto:Ope...@li...>> > > >>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > >> > > > > > > > > > > -- > > > > Douglas E. Engert <DEE...@gm... > <mailto:DEE...@gm...> <mailto:DEE...@gm... > <mailto:DEE...@gm...>>> > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > <mailto:Ope...@li...> > <mailto:Ope...@li... > <mailto:Ope...@li...>> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > -- > > Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>> > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com <http://www.mysmartlogon.com/> > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
