[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?

Do you have the smartcard logon EKU in the certificate? Only the
Enterprise Edition of Windows 2003 supports modifying the CA
templates, which you need to do in order to create certificates
with exportable private keys _and_ the smartcard logon EKU.

Active Directory uses the UPN subjectAltName extension for mapping
certificates to accounts, although as I recall you can do it with
the altSecurityIdentities attribute in the directory.

-- Luke

>From: Geoffrey Elgey <geoffree@vintela.com>
>Subject: Certificate format for PKINIT to Windows?
>To: heimdal-discuss@sics.se
>Date: Fri, 10 Jun 2005 01:38:42 -0600
>For those who have performed a successful PKINIT to a Windows server, 
>can you provide information on the certificate values that are required 
>for authentication?
>For example, is an email address required? A UPN? What form does the 
>subjectAltName take, etc? I haven't found any documentation on what 
>certificate information is required for a successful PKINIT to a Windows 
>I feel I'm close to a successful Heimdal PKINIT to a Windows 2003 
>server, if I can only create the appropriate certificate and assign the 
>correct policy settings on the Windows server.
>Any help appreciated.
>-- Geoff