Re: Certificate format for PKINIT to Windows?

[Geoffrey Elgey <geoffree@vintela.com>]

G'day,

Luke Howard wrote:
> Do you have the smartcard logon EKU in the certificate? Only the
> Enterprise Edition of Windows 2003 supports modifying the CA
> templates, which you need to do in order to create certificates
> with exportable private keys _and_ the smartcard logon EKU.
> 
> Active Directory uses the UPN subjectAltName extension for mapping
> certificates to accounts, although as I recall you can do it with
> the altSecurityIdentities attribute in the directory.

I just figured that out a little while ago. I created a new certificate 
template based on Smart Card Logon, with private key marked as 
exportable, and including the UPN. This allowed me to perform a kinit:

$ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
   geoffree@SC.VAS

$ klist

Credentials cache: /tmp/krb5cc_1060

Default principal: geoffree@SC.VAS, 1 entry found.

[1]  Service Principal:  krbtgt/SC.VAS@SC.VAS
      Valid starting:  Jun 10, 2005 02:15
      Expires:         Jun 10, 2005 12:15


I'll try to write up some proper documentation for this and post it here 
soon.

Thanks,
-- Geoff