[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?


Luke Howard wrote:
> Do you have the smartcard logon EKU in the certificate? Only the
> Enterprise Edition of Windows 2003 supports modifying the CA
> templates, which you need to do in order to create certificates
> with exportable private keys _and_ the smartcard logon EKU.
> Active Directory uses the UPN subjectAltName extension for mapping
> certificates to accounts, although as I recall you can do it with
> the altSecurityIdentities attribute in the directory.

I just figured that out a little while ago. I created a new certificate 
template based on Smart Card Logon, with private key marked as 
exportable, and including the UPN. This allowed me to perform a kinit:

$ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem

$ klist

Credentials cache: /tmp/krb5cc_1060

Default principal: geoffree@SC.VAS, 1 entry found.

[1]  Service Principal:  krbtgt/SC.VAS@SC.VAS
      Valid starting:  Jun 10, 2005 02:15
      Expires:         Jun 10, 2005 12:15

I'll try to write up some proper documentation for this and post it here 

-- Geoff