Menu
▾
▴
opensc-devel
|
From: Matt C. <mat...@ou...> - 2015-09-29 07:58:48
|
When I attempt to enroll a user for a smart card login certificate, Windows tells me that the smart card is read-only[1]. I'm running Windows Server 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the instructions on the GitHub wiki. Any help is appreciated. [1] http://i.coreduo.me.uk/U4FuFqe.png |
|
From: Andreas S. <and...@ca...> - 2015-09-29 08:09:30
|
Dear Matt, Windows is right, the minidriver is currently a read-only driver. The minidriver is currently enhanced with EC support and the authentication mechanism have changed. See [1] for details. I suggest you try an older version of OpenSC or track the latest development in the pull request. Would be great if you could supply logs while you test. Andreas [1] https://github.com/OpenSC/OpenSC/pull/566 On 09/29/2015 09:58 AM, Matt Campbell wrote: > When I attempt to enroll a user for a smart card login certificate, Windows > tells me that the smart card is read-only[1]. I'm running Windows Server > 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and > Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the > instructions on the GitHub wiki. Any help is appreciated. > > [1] http://i.coreduo.me.uk/U4FuFqe.png > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Douglas E E. <dee...@gm...> - 2015-09-29 12:34:55
|
An alternative way to do this until the minidriver can handle writing to a card: (1) generate private key on card (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format (3) cut-and-paste request into the AD CA web page to request certificate. (4) Save certificate from the CA. (5) write the certificate to the card. One of the last tings I did before retiring was to setup a proof-of-concept system to issue temporary cards for uses who either are waiting for an official PIV card or forgot their card at home. Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps. 3 and 4 were done by an AD admin on Windows 7 and transferred. Step 3 also requires an CA template that added the Windows smartcard login extension. Check if step 2 could be done by the sc-hsm-tool. On 9/29/2015 3:09 AM, Andreas Schwier wrote: > Dear Matt, > > Windows is right, the minidriver is currently a read-only driver. > > The minidriver is currently enhanced with EC support and the > authentication mechanism have changed. See [1] for details. > > I suggest you try an older version of OpenSC or track the latest > development in the pull request. > > Would be great if you could supply logs while you test. > > Andreas > > [1] https://github.com/OpenSC/OpenSC/pull/566 > > On 09/29/2015 09:58 AM, Matt Campbell wrote: >> When I attempt to enroll a user for a smart card login certificate, Windows >> tells me that the smart card is read-only[1]. I'm running Windows Server >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the >> instructions on the GitHub wiki. Any help is appreciated. >> >> [1] http://i.coreduo.me.uk/U4FuFqe.png >> >> >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > -- Douglas E. Engert <DEE...@gm...> |
|
From: Matt C. <mat...@ou...> - 2015-10-02 20:24:26
|
Hi Douglas, Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong? openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <dee...@gm...> wrote: > An alternative way to do this until the minidriver can handle writing to a > card: > (1) generate private key on card > (2) Uses openssl and engine_pkcs11 to generate a certificate request in > PEM format > (3) cut-and-paste request into the AD CA web page to request certificate. > (4) Save certificate from the CA. > (5) write the certificate to the card. > > One of the last tings I did before retiring was to setup a > proof-of-concept system to issue > temporary cards for uses who either are waiting for an official PIV card > or forgot their card at home. > > Steps 1, 2 and 5 were done on a virtual Linux system running under Windows > along with other card management steps. > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > Step 3 also requires an CA template that added the Windows smartcard > login extension. > > Check if step 2 could be done by the sc-hsm-tool. > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > Dear Matt, > > > > Windows is right, the minidriver is currently a read-only driver. > > > > The minidriver is currently enhanced with EC support and the > > authentication mechanism have changed. See [1] for details. > > > > I suggest you try an older version of OpenSC or track the latest > > development in the pull request. > > > > Would be great if you could supply logs while you test. > > > > Andreas > > > > [1] https://github.com/OpenSC/OpenSC/pull/566 > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > >> When I attempt to enroll a user for a smart card login certificate, > Windows > >> tells me that the smart card is read-only[1]. I'm running Windows Server > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and > >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the > >> instructions on the GitHub wiki. Any help is appreciated. > >> > >> [1] http://i.coreduo.me.uk/U4FuFqe.png > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> > >> > >> _______________________________________________ > >> Opensc-devel mailing list > >> Ope...@li... > >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > >> > > > > > > -- > > Douglas E. Engert <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Matt C. <mat...@ou...> - 2015-09-29 14:52:47
|
Hello, Andreas. I guess I was under the impression that the minidriver had write support too. I used a development version of OpenSC because it seems that the latest release (0.15) does not install properly on Windows 8.1/Server 2012 R2. The installer successfully completes but none of the files are there. On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier < and...@ca...> wrote: > Dear Matt, > > Windows is right, the minidriver is currently a read-only driver. > > The minidriver is currently enhanced with EC support and the > authentication mechanism have changed. See [1] for details. > > I suggest you try an older version of OpenSC or track the latest > development in the pull request. > > Would be great if you could supply logs while you test. > > Andreas > > [1] https://github.com/OpenSC/OpenSC/pull/566 > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > > When I attempt to enroll a user for a smart card login certificate, > Windows > > tells me that the smart card is read-only[1]. I'm running Windows Server > > 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and > > Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the > > instructions on the GitHub wiki. Any help is appreciated. > > > > [1] http://i.coreduo.me.uk/U4FuFqe.png > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > http://www.smartcard-hsm.com > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Vincent Le T. <vin...@my...> - 2015-09-29 15:40:02
|
Hi Matt, I'm working on the minidriver. I confirm that the minidriver has partial write support but only when a flag is actived. In addition to the ECC support (see https://github.com/OpenSC/OpenSC/pull/566), I'm working on that. Can you explain to me why you think that the minidriver installation is not working anymore ? I've solved the problem related to the minidriver configuration / installation (requesting the installation of a driver until disabled) but on my opinion, there is no problem with the installation. Did you mean the x86 / x64 installer problem ? (32 bits version not available to 64 bits applications) Vincent 2015-09-29 16:52 GMT+02:00 Matt Campbell <mat...@ou...>: > Hello, Andreas. > > I guess I was under the impression that the minidriver had write support > too. I used a development version of OpenSC because it seems that the > latest release (0.15) does not install properly on Windows 8.1/Server 2012 > R2. The installer successfully completes but none of the files are there. > > On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier < > and...@ca...> wrote: > >> Dear Matt, >> >> Windows is right, the minidriver is currently a read-only driver. >> >> The minidriver is currently enhanced with EC support and the >> authentication mechanism have changed. See [1] for details. >> >> I suggest you try an older version of OpenSC or track the latest >> development in the pull request. >> >> Would be great if you could supply logs while you test. >> >> Andreas >> >> [1] https://github.com/OpenSC/OpenSC/pull/566 >> >> On 09/29/2015 09:58 AM, Matt Campbell wrote: >> > When I attempt to enroll a user for a smart card login certificate, >> Windows >> > tells me that the smart card is read-only[1]. I'm running Windows Server >> > 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and >> > Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the >> > instructions on the GitHub wiki. Any help is appreciated. >> > >> > [1] http://i.coreduo.me.uk/U4FuFqe.png >> > >> > >> > >> > >> ------------------------------------------------------------------------------ >> > >> > >> > >> > _______________________________________________ >> > Opensc-devel mailing list >> > Ope...@li... >> > https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> http://www.smartcard-hsm.com >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Matt C. <mat...@ou...> - 2015-10-02 20:18:58
|
Hi Vincent, For some reason the driver wasn't getting installed in my virtual Server 2012 R2 environment, but on my Windows 8.1 machine it seems to work fine. I'm not sure what the problem was. On Tue, Sep 29, 2015 at 10:06 AM, Vincent Le Toux < vin...@my...> wrote: > Hi Matt, > > I'm working on the minidriver. > I confirm that the minidriver has partial write support but only when a > flag is actived. > In addition to the ECC support (see > https://github.com/OpenSC/OpenSC/pull/566), I'm working on that. > > Can you explain to me why you think that the minidriver installation is > not working anymore ? > I've solved the problem related to the minidriver configuration / > installation (requesting the installation of a driver until disabled) but > on my opinion, there is no problem with the installation. > Did you mean the x86 / x64 installer problem ? (32 bits version not > available to 64 bits applications) > > Vincent > > 2015-09-29 16:52 GMT+02:00 Matt Campbell <mat...@ou...>: > >> Hello, Andreas. >> >> I guess I was under the impression that the minidriver had write support >> too. I used a development version of OpenSC because it seems that the >> latest release (0.15) does not install properly on Windows 8.1/Server 2012 >> R2. The installer successfully completes but none of the files are there. >> >> On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier < >> and...@ca...> wrote: >> >>> Dear Matt, >>> >>> Windows is right, the minidriver is currently a read-only driver. >>> >>> The minidriver is currently enhanced with EC support and the >>> authentication mechanism have changed. See [1] for details. >>> >>> I suggest you try an older version of OpenSC or track the latest >>> development in the pull request. >>> >>> Would be great if you could supply logs while you test. >>> >>> Andreas >>> >>> [1] https://github.com/OpenSC/OpenSC/pull/566 >>> >>> On 09/29/2015 09:58 AM, Matt Campbell wrote: >>> > When I attempt to enroll a user for a smart card login certificate, >>> Windows >>> > tells me that the smart card is read-only[1]. I'm running Windows >>> Server >>> > 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and >>> > Identiv/SCM Microsystems SCR331 card reader. I've initialized it per >>> the >>> > instructions on the GitHub wiki. Any help is appreciated. >>> > >>> > [1] http://i.coreduo.me.uk/U4FuFqe.png >>> > >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > >>> > >>> > >>> > _______________________________________________ >>> > Opensc-devel mailing list >>> > Ope...@li... >>> > https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> > >>> >>> >>> -- >>> >>> --------- CardContact Software & System Consulting >>> |.##> <##.| Andreas Schwier >>> |# #| Schülerweg 38 >>> |# #| 32429 Minden, Germany >>> |'##> <##'| Phone +49 571 56149 >>> --------- http://www.cardcontact.de >>> http://www.tscons.de >>> http://www.openscdp.org >>> http://www.smartcard-hsm.com >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > |
|
From: Douglas E E. <dee...@gm...> - 2015-10-02 22:22:48
|
I have only created certificates for users on the card. So you are trying to place a server certificate on the card? Is this server certificate to be used for a Windows service of some kind, or a something like a web server on linux? If you have a server with a certificate which is now in software, dump the certificate and look at the extensions Microsoft uses in its server certificates. The Microsoft CA has templates for creating certificates that can add some of the extensions. IIRC, the template can also copy some of the extensions from the request. I don't have an AD CA environment any more, so can not test much. I would use a special openssl.conf that would be run through "sed" that contained: req_extensions = v3_req@@TYPE@@ # The extensions to add to a certificate request commonName = @@CN@@ [ v3_req9A ] # Extensions to add to a certificate request for login #basicConstraints = CA:FALSE #keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=otherName:msUPN;UTF8:@@UPN@@ [ v3_req9D ] # Extensions to add to a certificate request for encrypt #basicConstraints = CA:FALSE keyUsage = critical, keyEncipherment subjectAltName=email:@@EMAIL@@ [ v3_req9C ] # Extensions to add to a certificate request for signed email #basicConstraints = CA:FALSE keyUsage = critical, nonRepudiation, digitalSignature subjectAltName=email:@@EMAIL@@ sed was used from a script to replace the @@XX@@ with values to be in the new cert. @@TYPE@@ would be 9A, 9C or 9D that matched the 3 keys used on a PIV card and thus selected one of the v3_reqXX to get the extensions and values set for type of certificate. When using certutil each user has their own store. A server certificate would be in some system store, not sure where. Do the OpenSC tools show a certificate on the card? On 10/2/2015 3:23 PM, Matt Campbell wrote: > Hi Douglas, > > Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find > any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong? > > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 > > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <dee...@gm... <mailto:dee...@gm...>> wrote: > > An alternative way to do this until the minidriver can handle writing to a card: > (1) generate private key on card > (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format > (3) cut-and-paste request into the AD CA web page to request certificate. > (4) Save certificate from the CA. > (5) write the certificate to the card. > > One of the last tings I did before retiring was to setup a proof-of-concept system to issue > temporary cards for uses who either are waiting for an official PIV card or forgot their card at home. > > Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps. > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > Step 3 also requires an CA template that added the Windows smartcard login extension. > > Check if step 2 could be done by the sc-hsm-tool. > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > Dear Matt, > > > > Windows is right, the minidriver is currently a read-only driver. > > > > The minidriver is currently enhanced with EC support and the > > authentication mechanism have changed. See [1] for details. > > > > I suggest you try an older version of OpenSC or track the latest > > development in the pull request. > > > > Would be great if you could supply logs while you test. > > > > Andreas > > > > [1]https://github.com/OpenSC/OpenSC/pull/566 > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > >> When I attempt to enroll a user for a smart card login certificate, Windows > >> tells me that the smart card is read-only[1]. I'm running Windows Server > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and > >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the > >> instructions on the GitHub wiki. Any help is appreciated. > >> > >> [1]http://i.coreduo.me.uk/U4FuFqe.png > >> > >> > >> > >> ------------------------------------------------------------------------------ > >> > >> > >> > >> _______________________________________________ > >> Opensc-devel mailing list > >>Ope...@li... <mailto:Ope...@li...> > >>https://lists.sourceforge.net/lists/listinfo/opensc-devel > >> > > > > > > -- > > Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>> > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > -- Douglas E. Engert <DEE...@gm...> |
|
From: Vincent Le T. <vin...@my...> - 2015-10-03 07:04:27
|
@Douglas, are you sure that the certificate request was to be stored as a computer account ? Well copy/paste the output of certutil -scinfo will help a lot. The message "couldn't find any valid certificates" means that the minidriver couldn't find a certificate associated to a public/key pair. That could mean that the certificate wasn't properly saved to the smart card (wrong reference / id / label). Then if the certificate / subject is wrong, it will fail later with a more meaningful error message. Note: you can check the OpenSSL request by renaming the file to .cer and double click on it on Windows or within OpenSSL itself. Note about computer accounts: When a certificate is used by the computer account (opposed to the user account), it is stored in the computer certificate store (mmc-> certificate-> computer store) Inside the certificate properties, you have a reference to the CSP/KSP (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it makes the link with the smart card (the gray key icon) However most of the applications (like IIS) won't work with smart card certificates because they can't issue a dialog to enter the PIN => the PIN needs to be set in a configuration file and the application designed for that. regards, Vincent 2015-10-03 0:15 GMT+02:00 Douglas E Engert <dee...@gm...>: > I have only created certificates for users on the card. > > So you are trying to place a server certificate on the card? > Is this server certificate to be used for a Windows service of some kind, > or > a something like a web server on linux? > > If you have a server with a certificate which is now in software, dump the > certificate and look at the extensions > Microsoft uses in its server certificates. > > The Microsoft CA has templates for creating certificates that can add some > of the extensions. > IIRC, the template can also copy some of the extensions from the request. > > I don't have an AD CA environment any more, so can not test much. > > I would use a special openssl.conf that would be run through "sed" that > contained: > > req_extensions = v3_req@@TYPE@@ # The extensions to add to a certificate > request > commonName = @@CN@@ > > [ v3_req9A ] > > # Extensions to add to a certificate request for login > > #basicConstraints = CA:FALSE > #keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName=otherName:msUPN;UTF8:@@UPN@@ > > [ v3_req9D ] > # Extensions to add to a certificate request for encrypt > #basicConstraints = CA:FALSE > keyUsage = critical, keyEncipherment > subjectAltName=email:@@EMAIL@@ > > [ v3_req9C ] > # Extensions to add to a certificate request for signed email > #basicConstraints = CA:FALSE > keyUsage = critical, nonRepudiation, digitalSignature > subjectAltName=email:@@EMAIL@@ > > > sed was used from a script to replace the @@XX@@ with values to be in the > new cert. > @@TYPE@@ would be 9A, 9C or 9D that matched the 3 keys used on a PIV > card > and thus selected one of the v3_reqXX to get the extensions and values set > for type of certificate. > > When using certutil each user has their own store. A server certificate > would be in some system store, > not sure where. > > Do the OpenSC tools show a certificate on the card? > > > On 10/2/2015 3:23 PM, Matt Campbell wrote: > > Hi Douglas, > > > > Could you provide more details on doing this? Admittedly I'm new to > Windows PKI, but when I export the issued certificate from the CA and write > it to the card, Windows tells me that it couldn't find > > any valid certificates. Could the subject name that I'm using in OpenSSL > to make the request be wrong? > > > > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 > -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 > > > > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <dee...@gm... > <mailto:dee...@gm...>> wrote: > > > > An alternative way to do this until the minidriver can handle > writing to a card: > > (1) generate private key on card > > (2) Uses openssl and engine_pkcs11 to generate a certificate > request in PEM format > > (3) cut-and-paste request into the AD CA web page to request > certificate. > > (4) Save certificate from the CA. > > (5) write the certificate to the card. > > > > One of the last tings I did before retiring was to setup a > proof-of-concept system to issue > > temporary cards for uses who either are waiting for an official PIV > card or forgot their card at home. > > > > Steps 1, 2 and 5 were done on a virtual Linux system running under > Windows along with other card management steps. > > > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > > Step 3 also requires an CA template that added the Windows > smartcard login extension. > > > > Check if step 2 could be done by the sc-hsm-tool. > > > > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > > Dear Matt, > > > > > > Windows is right, the minidriver is currently a read-only driver. > > > > > > The minidriver is currently enhanced with EC support and the > > > authentication mechanism have changed. See [1] for details. > > > > > > I suggest you try an older version of OpenSC or track the latest > > > development in the pull request. > > > > > > Would be great if you could supply logs while you test. > > > > > > Andreas > > > > > > [1]https://github.com/OpenSC/OpenSC/pull/566 > > > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > > >> When I attempt to enroll a user for a smart card login > certificate, Windows > > >> tells me that the smart card is read-only[1]. I'm running Windows > Server > > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM > card and > > >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it > per the > > >> instructions on the GitHub wiki. Any help is appreciated. > > >> > > >> [1]http://i.coreduo.me.uk/U4FuFqe.png > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > > >> > > >> > > >> > > >> _______________________________________________ > > >> Opensc-devel mailing list > > >>Ope...@li... <mailto: > Ope...@li...> > > >>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > >> > > > > > > > > > > -- > > > > Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm... > >> > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... <mailto: > Ope...@li...> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > -- > > Douglas E. Engert <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Kenneth B. <pho...@gm...> - 2015-10-03 17:02:04
|
One thing I've noticed from other drivers/programs using certs being put on cards is they almost always want it in the der internal format. If the cert you put an the card was pem format, it might not be being read correctly. A possibility? Kenneth Benson On 10/3/2015 3:04 AM, Vincent Le Toux wrote: > @Douglas, are you sure that the certificate request was to be stored as > a computer account ? > > Well copy/paste the output of certutil -scinfo will help a lot. > The message "couldn't find any valid certificates" means that the > minidriver couldn't find a certificate associated to a public/key pair. > That could mean that the certificate wasn't properly saved to the smart > card (wrong reference / id / label). > Then if the certificate / subject is wrong, it will fail later with a > more meaningful error message. > > Note: you can check the OpenSSL request by renaming the file to .cer and > double click on it on Windows or within OpenSSL itself. > > Note about computer accounts: > When a certificate is used by the computer account (opposed to the user > account), it is stored in the computer certificate store (mmc-> > certificate-> computer store) > Inside the certificate properties, you have a reference to the CSP/KSP > (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it > makes the link with the smart card (the gray key icon) > However most of the applications (like IIS) won't work with smart card > certificates because they can't issue a dialog to enter the PIN => the > PIN needs to be set in a configuration file and the application designed > for that. > > regards, > Vincent > > 2015-10-03 0:15 GMT+02:00 Douglas E Engert <dee...@gm... > <mailto:dee...@gm...>>: > > I have only created certificates for users on the card. > > So you are trying to place a server certificate on the card? > Is this server certificate to be used for a Windows service of some > kind, or > a something like a web server on linux? > > If you have a server with a certificate which is now in software, > dump the certificate and look at the extensions > Microsoft uses in its server certificates. > > The Microsoft CA has templates for creating certificates that can > add some of the extensions. > IIRC, the template can also copy some of the extensions from the > request. > > I don't have an AD CA environment any more, so can not test much. > > I would use a special openssl.conf that would be run through "sed" > that contained: > > req_extensions = v3_req@@TYPE@@ # The extensions to add to a > certificate request > commonName = @@CN@@ > > [ v3_req9A ] > > # Extensions to add to a certificate request for login > > #basicConstraints = CA:FALSE > #keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName=otherName:msUPN;UTF8:@@UPN@@ > > [ v3_req9D ] > # Extensions to add to a certificate request for encrypt > #basicConstraints = CA:FALSE > keyUsage = critical, keyEncipherment > subjectAltName=email:@@EMAIL@@ > > [ v3_req9C ] > # Extensions to add to a certificate request for signed email > #basicConstraints = CA:FALSE > keyUsage = critical, nonRepudiation, digitalSignature > subjectAltName=email:@@EMAIL@@ > > > sed was used from a script to replace the @@XX@@ with values to be > in the new cert. > @@TYPE@@ would be 9A, 9C or 9D that matched the 3 keys used on a > PIV card > and thus selected one of the v3_reqXX to get the extensions and > values set for type of certificate. > > When using certutil each user has their own store. A server > certificate would be in some system store, > not sure where. > > Do the OpenSC tools show a certificate on the card? > > > On 10/2/2015 3:23 PM, Matt Campbell wrote: > > Hi Douglas, > > > > Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find > > any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong? > > > > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 > > > > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert > <dee...@gm... <mailto:dee...@gm...> > <mailto:dee...@gm... <mailto:dee...@gm...>>> wrote: > > > > An alternative way to do this until the minidriver can handle > writing to a card: > > (1) generate private key on card > > (2) Uses openssl and engine_pkcs11 to generate a > certificate request in PEM format > > (3) cut-and-paste request into the AD CA web page to > request certificate. > > (4) Save certificate from the CA. > > (5) write the certificate to the card. > > > > One of the last tings I did before retiring was to setup a > proof-of-concept system to issue > > temporary cards for uses who either are waiting for an > official PIV card or forgot their card at home. > > > > Steps 1, 2 and 5 were done on a virtual Linux system running > under Windows along with other card management steps. > > > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > > Step 3 also requires an CA template that added the Windows > smartcard login extension. > > > > Check if step 2 could be done by the sc-hsm-tool. > > > > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > > Dear Matt, > > > > > > Windows is right, the minidriver is currently a read-only > driver. > > > > > > The minidriver is currently enhanced with EC support and the > > > authentication mechanism have changed. See [1] for details. > > > > > > I suggest you try an older version of OpenSC or track the latest > > > development in the pull request. > > > > > > Would be great if you could supply logs while you test. > > > > > > Andreas > > > > > > [1]https://github.com/OpenSC/OpenSC/pull/566 > > > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > > >> When I attempt to enroll a user for a smart card login > certificate, Windows > > >> tells me that the smart card is read-only[1]. I'm running > Windows Server > > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a > Smartcard-HSM card and > > >> Identiv/SCM Microsystems SCR331 card reader. I've > initialized it per the > > >> instructions on the GitHub wiki. Any help is appreciated. > > >> > > >> [1]http://i.coreduo.me.uk/U4FuFqe.png > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > > >> > > >> > > >> > > >> _______________________________________________ > > >> Opensc-devel mailing list > > >>Ope...@li... > <mailto:Ope...@li...> > <mailto:Ope...@li... > <mailto:Ope...@li...>> > > >>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > >> > > > > > > > > > > -- > > > > Douglas E. Engert <DEE...@gm... > <mailto:DEE...@gm...> <mailto:DEE...@gm... > <mailto:DEE...@gm...>>> > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > <mailto:Ope...@li...> > <mailto:Ope...@li... > <mailto:Ope...@li...>> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > -- > > Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>> > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com <http://www.mysmartlogon.com/> > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Vincent Le T. <vin...@my...> - 2015-10-03 17:40:10
|
yes it is a possibility. What certutil -scinfo / pkcs15-tool -D are returning ? 2015-10-03 19:01 GMT+02:00 Kenneth Benson <pho...@gm...>: > One thing I've noticed from other drivers/programs using certs being put > on cards is they almost always want it in the der internal format. If > the cert you put an the card was pem format, it might not be being read > correctly. A possibility? > > Kenneth Benson > > On 10/3/2015 3:04 AM, Vincent Le Toux wrote: > > @Douglas, are you sure that the certificate request was to be stored as > > a computer account ? > > > > Well copy/paste the output of certutil -scinfo will help a lot. > > The message "couldn't find any valid certificates" means that the > > minidriver couldn't find a certificate associated to a public/key pair. > > That could mean that the certificate wasn't properly saved to the smart > > card (wrong reference / id / label). > > Then if the certificate / subject is wrong, it will fail later with a > > more meaningful error message. > > > > Note: you can check the OpenSSL request by renaming the file to .cer and > > double click on it on Windows or within OpenSSL itself. > > > > Note about computer accounts: > > When a certificate is used by the computer account (opposed to the user > > account), it is stored in the computer certificate store (mmc-> > > certificate-> computer store) > > Inside the certificate properties, you have a reference to the CSP/KSP > > (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it > > makes the link with the smart card (the gray key icon) > > However most of the applications (like IIS) won't work with smart card > > certificates because they can't issue a dialog to enter the PIN => the > > PIN needs to be set in a configuration file and the application designed > > for that. > > > > regards, > > Vincent > > > > 2015-10-03 0:15 GMT+02:00 Douglas E Engert <dee...@gm... > > <mailto:dee...@gm...>>: > > > > I have only created certificates for users on the card. > > > > So you are trying to place a server certificate on the card? > > Is this server certificate to be used for a Windows service of some > > kind, or > > a something like a web server on linux? > > > > If you have a server with a certificate which is now in software, > > dump the certificate and look at the extensions > > Microsoft uses in its server certificates. > > > > The Microsoft CA has templates for creating certificates that can > > add some of the extensions. > > IIRC, the template can also copy some of the extensions from the > > request. > > > > I don't have an AD CA environment any more, so can not test much. > > > > I would use a special openssl.conf that would be run through "sed" > > that contained: > > > > req_extensions = v3_req@@TYPE@@ # The extensions to add to a > > certificate request > > commonName = @@CN@@ > > > > [ v3_req9A ] > > > > # Extensions to add to a certificate request for login > > > > #basicConstraints = CA:FALSE > > #keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > subjectAltName=otherName:msUPN;UTF8:@@UPN@@ > > > > [ v3_req9D ] > > # Extensions to add to a certificate request for encrypt > > #basicConstraints = CA:FALSE > > keyUsage = critical, keyEncipherment > > subjectAltName=email:@@EMAIL@@ > > > > [ v3_req9C ] > > # Extensions to add to a certificate request for signed email > > #basicConstraints = CA:FALSE > > keyUsage = critical, nonRepudiation, digitalSignature > > subjectAltName=email:@@EMAIL@@ > > > > > > sed was used from a script to replace the @@XX@@ with values to be > > in the new cert. > > @@TYPE@@ would be 9A, 9C or 9D that matched the 3 keys used on a > > PIV card > > and thus selected one of the v3_reqXX to get the extensions and > > values set for type of certificate. > > > > When using certutil each user has their own store. A server > > certificate would be in some system store, > > not sure where. > > > > Do the OpenSC tools show a certificate on the card? > > > > > > On 10/2/2015 3:23 PM, Matt Campbell wrote: > > > Hi Douglas, > > > > > > Could you provide more details on doing this? Admittedly I'm new > to Windows PKI, but when I export the issued certificate from the CA and > write it to the card, Windows tells me that it couldn't find > > > any valid certificates. Could the subject name that I'm using in > OpenSSL to make the request be wrong? > > > > > > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 > -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640 > > > > > > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert > > <dee...@gm... <mailto:dee...@gm...> > > <mailto:dee...@gm... <mailto:dee...@gm...>>> wrote: > > > > > > An alternative way to do this until the minidriver can handle > > writing to a card: > > > (1) generate private key on card > > > (2) Uses openssl and engine_pkcs11 to generate a > > certificate request in PEM format > > > (3) cut-and-paste request into the AD CA web page to > > request certificate. > > > (4) Save certificate from the CA. > > > (5) write the certificate to the card. > > > > > > One of the last tings I did before retiring was to setup a > > proof-of-concept system to issue > > > temporary cards for uses who either are waiting for an > > official PIV card or forgot their card at home. > > > > > > Steps 1, 2 and 5 were done on a virtual Linux system running > > under Windows along with other card management steps. > > > > > > 3 and 4 were done by an AD admin on Windows 7 and transferred. > > > Step 3 also requires an CA template that added the Windows > > smartcard login extension. > > > > > > Check if step 2 could be done by the sc-hsm-tool. > > > > > > > > > On 9/29/2015 3:09 AM, Andreas Schwier wrote: > > > > Dear Matt, > > > > > > > > Windows is right, the minidriver is currently a read-only > > driver. > > > > > > > > The minidriver is currently enhanced with EC support and the > > > > authentication mechanism have changed. See [1] for details. > > > > > > > > I suggest you try an older version of OpenSC or track the > latest > > > > development in the pull request. > > > > > > > > Would be great if you could supply logs while you test. > > > > > > > > Andreas > > > > > > > > [1]https://github.com/OpenSC/OpenSC/pull/566 > > > > > > > > On 09/29/2015 09:58 AM, Matt Campbell wrote: > > > >> When I attempt to enroll a user for a smart card login > > certificate, Windows > > > >> tells me that the smart card is read-only[1]. I'm running > > Windows Server > > > >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a > > Smartcard-HSM card and > > > >> Identiv/SCM Microsystems SCR331 card reader. I've > > initialized it per the > > > >> instructions on the GitHub wiki. Any help is appreciated. > > > >> > > > >> [1]http://i.coreduo.me.uk/U4FuFqe.png > > > >> > > > >> > > > >> > > > >> > > > ------------------------------------------------------------------------------ > > > >> > > > >> > > > >> > > > >> _______________________________________________ > > > >> Opensc-devel mailing list > > > >>Ope...@li... > > <mailto:Ope...@li...> > > <mailto:Ope...@li... > > <mailto:Ope...@li...>> > > > >>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > >> > > > > > > > > > > > > > > -- > > > > > > Douglas E. Engert <DEE...@gm... > > <mailto:DEE...@gm...> <mailto:DEE...@gm... > > <mailto:DEE...@gm...>>> > > > > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > Opensc-devel mailing list > > > Ope...@li... > > <mailto:Ope...@li...> > > <mailto:Ope...@li... > > <mailto:Ope...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > > > > > -- > > > > Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm... > >> > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > <mailto:Ope...@li...> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > > > > > -- > > -- > > Vincent Le Toux > > > > My Smart Logon > > www.mysmartlogon.com <http://www.mysmartlogon.com/> > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Douglas E E. <dee...@gm...> - 2015-10-03 21:07:03
|
Possible, but not very likely, as as there usually is some checks for the ASN.1 encoding of at least the length of the cert. For PKCS#15 cards, additional information such as subject maybe extracted from the cert and written to separate files. I suggested trying to read the certificate from the card. I meant using pkcs11-tool, pkcs15-tool or the vendor tool that wrote the certificate. The issue is Windows (and the minidriver) can not find the certificate. Using OpenSC on Linux to read the certificate would also help, as well as a OpenSC debug log. On 10/3/2015 12:01 PM, Kenneth Benson wrote: > One thing I've noticed from other drivers/programs using certs being put > on cards is they almost always want it in the der internal format. If > the cert you put an the card was pem format, it might not be being read > correctly. A possibility? > > Kenneth Benson > -- Douglas E. Engert <DEE...@gm...> |
|
From: Douglas E E. <dee...@gm...> - 2015-10-03 21:41:07
|
Going back to this first e-mail: What GitHub wiki page? What commands did you use to initialize the card? If running on a Windows 64 bit machine, did you install both the 64 bit and 32 bit version of OpenSC? Can you use any of the OpenSC tools: pkcs11-tool or pkcs15-tool to see if a key was generated, and a cert loaded? Note for PKCS#11 the ID of the cert, public key (if any) and certificate should be the same. Can you post the certificate to the mailing list? Do you have a Linux system to try running OpenSC? On 9/29/2015 2:58 AM, Matt Campbell wrote: > When I attempt to enroll a user for a smart card login certificate, Windows tells me that the smart card is read-only[1]. I'm running Windows Server 2012 R2 and OpenSC 0.15.0g20150914124137 with a > Smartcard-HSM card and Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the instructions on the GitHub wiki. Any help is appreciated. > > [1] http://i.coreduo.me.uk/U4FuFqe.png > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X