[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate format for PKINIT to Windows?
G'day,
Luke Howard wrote:
> Do you have the smartcard logon EKU in the certificate? Only the
> Enterprise Edition of Windows 2003 supports modifying the CA
> templates, which you need to do in order to create certificates
> with exportable private keys _and_ the smartcard logon EKU.
>
> Active Directory uses the UPN subjectAltName extension for mapping
> certificates to accounts, although as I recall you can do it with
> the altSecurityIdentities attribute in the directory.
I just figured that out a little while ago. I created a new certificate
template based on Smart Card Logon, with private key marked as
exportable, and including the UPN. This allowed me to perform a kinit:
$ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
geoffree@SC.VAS
$ klist
Credentials cache: /tmp/krb5cc_1060
Default principal: geoffree@SC.VAS, 1 entry found.
[1] Service Principal: krbtgt/SC.VAS@SC.VAS
Valid starting: Jun 10, 2005 02:15
Expires: Jun 10, 2005 12:15
I'll try to write up some proper documentation for this and post it here
soon.
Thanks,
-- Geoff