Re: Certificate format for PKINIT to Windows?

["Prágai, Róbert" <pragai@rubin.hu>]

Hi Geoff,

	sorry for this maybe offline question but which pkcs11 module do you
use for pkinit? I've tried the soft-pkcs11 module without luck, lately.

thanks,
Robert

> G'day,
> 
> Luke Howard wrote:
> 
>> Do you have the smartcard logon EKU in the certificate? Only the
>> Enterprise Edition of Windows 2003 supports modifying the CA
>> templates, which you need to do in order to create certificates
>> with exportable private keys _and_ the smartcard logon EKU.
>>
>> Active Directory uses the UPN subjectAltName extension for mapping
>> certificates to accounts, although as I recall you can do it with
>> the altSecurityIdentities attribute in the directory.
> 
> 
> I just figured that out a little while ago. I created a new certificate
> template based on Smart Card Logon, with private key marked as
> exportable, and including the UPN. This allowed me to perform a kinit:
> 
> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>   geoffree@SC.VAS
> 
> $ klist
> 
> Credentials cache: /tmp/krb5cc_1060
> 
> Default principal: geoffree@SC.VAS, 1 entry found.
> 
> [1]  Service Principal:  krbtgt/SC.VAS@SC.VAS
>      Valid starting:  Jun 10, 2005 02:15
>      Expires:         Jun 10, 2005 12:15
> 
> 
> I'll try to write up some proper documentation for this and post it here
> soon.
> 
> Thanks,
> -- Geoff
> 
>