Re: Certificate format for PKINIT to Windows?

[Love Hörnquist Åstrand <lha@kth.se>]

"Prágai, Róbert" <pragai@rubin.hu> writes:

> Hi Geoff,
>
> 	sorry for this maybe offline question but which pkcs11 module do you
> use for pkinit? I've tried the soft-pkcs11 module without luck, lately.

What problems are you having with the module ?

Love



>
> thanks,
> Robert
>
>> G'day,
>> 
>> Luke Howard wrote:
>> 
>>> Do you have the smartcard logon EKU in the certificate? Only the
>>> Enterprise Edition of Windows 2003 supports modifying the CA
>>> templates, which you need to do in order to create certificates
>>> with exportable private keys _and_ the smartcard logon EKU.
>>>
>>> Active Directory uses the UPN subjectAltName extension for mapping
>>> certificates to accounts, although as I recall you can do it with
>>> the altSecurityIdentities attribute in the directory.
>> 
>> 
>> I just figured that out a little while ago. I created a new certificate
>> template based on Smart Card Logon, with private key marked as
>> exportable, and including the UPN. This allowed me to perform a kinit:
>> 
>> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>>   geoffree@SC.VAS
>> 
>> $ klist
>> 
>> Credentials cache: /tmp/krb5cc_1060
>> 
>> Default principal: geoffree@SC.VAS, 1 entry found.
>> 
>> [1]  Service Principal:  krbtgt/SC.VAS@SC.VAS
>>      Valid starting:  Jun 10, 2005 02:15
>>      Expires:         Jun 10, 2005 12:15
>> 
>> 
>> I'll try to write up some proper documentation for this and post it here
>> soon.
>> 
>> Thanks,
>> -- Geoff
>> 
>>

PGP signature