[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?

To: geoffree@vintela.com
Subject: Re: Certificate format for PKINIT to Windows?
From: Luke Howard <lukeh@PADL.COM>
Date: Fri, 10 Jun 2005 18:47:09 +1000
Cc: heimdal-discuss@sics.se
Organization: PADL Software Pty Ltd
Reply-To: lukeh@PADL.COM
Sender: owner-heimdal-discuss@sics.se
Versions: dmail (bsd44) 2.6d/makemail 2.10


Do you have the smartcard logon EKU in the certificate? Only the
Enterprise Edition of Windows 2003 supports modifying the CA
templates, which you need to do in order to create certificates
with exportable private keys _and_ the smartcard logon EKU.

Active Directory uses the UPN subjectAltName extension for mapping
certificates to accounts, although as I recall you can do it with
the altSecurityIdentities attribute in the directory.

-- Luke

>From: Geoffrey Elgey <geoffree@vintela.com>
>Subject: Certificate format for PKINIT to Windows?
>To: heimdal-discuss@sics.se
>Date: Fri, 10 Jun 2005 01:38:42 -0600
>
>G'day,
>
>For those who have performed a successful PKINIT to a Windows server, 
>can you provide information on the certificate values that are required 
>for authentication?
>
>For example, is an email address required? A UPN? What form does the 
>subjectAltName take, etc? I haven't found any documentation on what 
>certificate information is required for a successful PKINIT to a Windows 
>KDC.
>
>I feel I'm close to a successful Heimdal PKINIT to a Windows 2003 
>server, if I can only create the appropriate certificate and assign the 
>correct policy settings on the Windows server.
>
>Any help appreciated.
>
>-- Geoff

--

Follow-Ups:
- Re: Certificate format for PKINIT to Windows?
  - From: Geoffrey Elgey <geoffree@vintela.com>

Prev by Date: Re: Certificate format for PKINIT to Windows?
Next by Date: Some questions
Prev by thread: Certificate format for PKINIT to Windows?
Next by thread: Re: Certificate format for PKINIT to Windows?
Index(es):
- Date
- Thread