Re: [Opensc-devel] Active Directory Certificate Services enrollment problems

[Vincent Le T. <vin...@my...>]

yes it is a possibility.

What certutil -scinfo / pkcs15-tool -D are returning ?

2015-10-03 19:01 GMT+02:00 Kenneth Benson <pho...@gm...>:

> One thing I've noticed from other drivers/programs using certs being put
> on cards is they almost always want it in the der internal format. If
> the cert you put an the card was pem format, it might not be being read
> correctly. A possibility?
>
> Kenneth Benson
>
> On 10/3/2015 3:04 AM, Vincent Le Toux wrote:
> > @Douglas, are you sure that the certificate request was to be stored as
> > a computer account ?
> >
> > Well copy/paste the output of certutil -scinfo will help a lot.
> > The message "couldn't find any valid certificates" means that the
> > minidriver couldn't find a certificate associated to a public/key pair.
> > That could mean that the certificate wasn't properly saved to the smart
> > card (wrong reference / id / label).
> > Then if the certificate / subject is wrong, it will fail later with a
> > more meaningful error message.
> >
> > Note: you can check the OpenSSL request by renaming the file to .cer and
> > double click on it on Windows or within OpenSSL itself.
> >
> > Note about computer accounts:
> > When a certificate is used by the computer account (opposed to the user
> > account), it is stored in the computer certificate store (mmc->
> > certificate-> computer store)
> > Inside the certificate properties, you have a reference to the CSP/KSP
> > (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it
> > makes the link with the smart card (the gray key icon)
> > However most of the applications (like IIS) won't work with smart card
> > certificates because they can't issue a dialog to enter the PIN => the
> > PIN needs to be set in a configuration file and the application designed
> > for that.
> >
> > regards,
> > Vincent
> >
> > 2015-10-03 0:15 GMT+02:00 Douglas E Engert <dee...@gm...
> > <mailto:dee...@gm...>>:
> >
> >     I have only created certificates for users on the card.
> >
> >     So you are trying to place a server certificate on the card?
> >     Is this server certificate to be used for a Windows service of some
> >     kind, or
> >     a something like a web server on linux?
> >
> >     If you have a server with a certificate which is now in software,
> >     dump the certificate and look at the extensions
> >     Microsoft uses in its server certificates.
> >
> >     The Microsoft CA has templates for creating certificates that can
> >     add some of the extensions.
> >     IIRC, the template can also copy some of the extensions from the
> >     request.
> >
> >     I don't have an AD  CA environment any more, so can not test much.
> >
> >     I would use a special openssl.conf that would be run through "sed"
> >     that contained:
> >
> >     req_extensions = v3_req@@TYPE@@ # The extensions to add to a
> >     certificate request
> >     commonName                      = @@CN@@
> >
> >     [ v3_req9A ]
> >
> >     # Extensions to add to a certificate request for login
> >
> >     #basicConstraints = CA:FALSE
> >     #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> >     subjectAltName=otherName:msUPN;UTF8:@@UPN@@
> >
> >     [ v3_req9D ]
> >     # Extensions to add to a certificate request for encrypt
> >     #basicConstraints = CA:FALSE
> >     keyUsage = critical, keyEncipherment
> >     subjectAltName=email:@@EMAIL@@
> >
> >     [ v3_req9C ]
> >     # Extensions to add to a certificate request for signed email
> >     #basicConstraints = CA:FALSE
> >     keyUsage = critical, nonRepudiation, digitalSignature
> >     subjectAltName=email:@@EMAIL@@
> >
> >
> >     sed was used from a script to replace the @@XX@@ with values to be
> >     in the new cert.
> >     @@TYPE@@  would be 9A, 9C or 9D  that matched the 3 keys used on a
> >     PIV card
> >     and thus selected one of the v3_reqXX to get the extensions and
> >     values set for type of certificate.
> >
> >     When using certutil each user has their own store. A server
> >     certificate would be in some system store,
> >     not sure where.
> >
> >     Do the OpenSC tools show a certificate on the card?
> >
> >
> >     On 10/2/2015 3:23 PM, Matt Campbell wrote:
> >     > Hi Douglas,
> >     >
> >     > Could you provide more details on doing this? Admittedly I'm new
> to Windows PKI, but when I export the issued certificate from the CA and
> write it to the card, Windows tells me that it couldn't find
> >     > any valid certificates. Could the subject name that I'm using in
> OpenSSL to make the request be wrong?
> >     >
> >     > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01
> -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640
> >     >
> >     > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert
> >     <dee...@gm... <mailto:dee...@gm...>
> >     <mailto:dee...@gm... <mailto:dee...@gm...>>> wrote:
> >     >
> >     >     An alternative way to do this until the minidriver can handle
> >     writing to a card:
> >     >        (1) generate private key on card
> >     >        (2) Uses openssl and engine_pkcs11 to generate a
> >     certificate request in PEM format
> >     >        (3) cut-and-paste request into the AD CA web page to
> >     request certificate.
> >     >        (4) Save certificate from the CA.
> >     >        (5) write the certificate to the card.
> >     >
> >     >     One of the last tings I did before retiring was to setup a
> >     proof-of-concept system to issue
> >     >     temporary cards for uses who either are waiting for an
> >     official PIV card or forgot their card at home.
> >     >
> >     >     Steps 1, 2 and 5 were done on a virtual Linux system running
> >     under Windows along with other card management steps.
> >     >
> >     >     3 and 4 were done by an AD admin on Windows 7 and transferred.
> >     >     Step 3 also requires an CA template  that added the Windows
> >     smartcard login extension.
> >     >
> >     >     Check if step 2 could be done by the sc-hsm-tool.
> >     >
> >     >
> >     >     On 9/29/2015 3:09 AM, Andreas Schwier wrote:
> >     >     > Dear Matt,
> >     >     >
> >     >     > Windows is right, the minidriver is currently a read-only
> >     driver.
> >     >     >
> >     >     > The minidriver is currently enhanced with EC support and the
> >     >     > authentication mechanism have changed. See [1] for details.
> >     >     >
> >     >     > I suggest you try an older version of OpenSC or track the
> latest
> >     >     > development in the pull request.
> >     >     >
> >     >     > Would be great if you could supply logs while you test.
> >     >     >
> >     >     > Andreas
> >     >     >
> >     >     > [1]https://github.com/OpenSC/OpenSC/pull/566
> >     >     >
> >     >     > On 09/29/2015 09:58 AM, Matt Campbell wrote:
> >     >     >> When I attempt to enroll a user for a smart card login
> >     certificate, Windows
> >     >     >> tells me that the smart card is read-only[1]. I'm running
> >     Windows Server
> >     >     >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a
> >     Smartcard-HSM card and
> >     >     >> Identiv/SCM Microsystems SCR331 card reader. I've
> >     initialized it per the
> >     >     >> instructions on the GitHub wiki. Any help is appreciated.
> >     >     >>
> >     >     >> [1]http://i.coreduo.me.uk/U4FuFqe.png
> >     >     >>
> >     >     >>
> >     >     >>
> >     >     >>
> >
>  ------------------------------------------------------------------------------
> >     >     >>
> >     >     >>
> >     >     >>
> >     >     >> _______________________________________________
> >     >     >> Opensc-devel mailing list
> >     >     >>Ope...@li...
> >     <mailto:Ope...@li...>
> >     <mailto:Ope...@li...
> >     <mailto:Ope...@li...>>
> >     >     >>https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >     >     >>
> >     >     >
> >     >     >
> >     >
> >     >     --
> >     >
> >     >        Douglas E. Engert  <DEE...@gm...
> >     <mailto:DEE...@gm...> <mailto:DEE...@gm...
> >     <mailto:DEE...@gm...>>>
> >     >
> >     >
> >     >
>  ------------------------------------------------------------------------------
> >     >     _______________________________________________
> >     >     Opensc-devel mailing list
> >     >     Ope...@li...
> >     <mailto:Ope...@li...>
> >     <mailto:Ope...@li...
> >     <mailto:Ope...@li...>>
> >     >     https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >     >
> >     >
> >
> >     --
> >
> >       Douglas E. Engert  <DEE...@gm... <mailto:DEE...@gm...
> >>
> >
> >
> >
>  ------------------------------------------------------------------------------
> >     _______________________________________________
> >     Opensc-devel mailing list
> >     Ope...@li...
> >     <mailto:Ope...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
> >
> >
> >
> > --
> > --
> > Vincent Le Toux
> >
> > My Smart Logon
> > www.mysmartlogon.com <http://www.mysmartlogon.com/>
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>



-- 
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com