Re: Smartcard Enrollment Agents

From: Brian Komar (bkomar_at_nospam.komarconsulting.com)
Date: 07/10/04 

Date: Sat, 10 Jul 2004 15:51:48 -0500

In article <Ox9JQt$YEHA.3716@TK2MSFTNGP11.phx.gbl>, beuermann@rissoft.de
says...
> Hi NG,
>
> I hope you can help me. I have installed a CA on Windows Server 2003
> Enterprise Edition. I want enroll certificates for other users as an
> enrollment agent. The enrollment agent certificate is installed on my own
> smartcard. I go to the certsrv website > click request a certificate >
> advanced certificate request > request a certificate for a smart card on
> behalf of.... > select the certificate template, the ca, the CSP (Smart Card
> CSP) > signing certificate > user to enroll > and click enroll. At this time
> a error message occur:
>
> Cannot find the administrator signing smart card. Please insert the
> administrator smart card.
>
> But the admin signing smartcard is inserted. What is wrong???
>
> Denis
>
>
>
If you place the enrollment agent certificate on a smart card, the the
smart card holding the enrollment agent certificate *must* use a
different CSP than the smart card certificate being requested. What
happens if the enrollment agent certificate is stored in the user's
profile, rather than on a smart card.

The other possibility is that the enrollment agent certificate does not
have the Certificate Request Agent oid in either the application policy
or EKU extension. The enrollment web pages are hard coded to require a
certificate with the correct OID.

Finally, if the smart card is not also an authentication certificate,
the computer may not know of its existance, and will not be looking at
the smart card reader. By creating a custom v2 certicate that includes
the following applicaition policy OIDs, you can log on with the smart
card and then signin enrollment requests for other smart cards:
- client authentication
- smart card logon
- certificate request agent.

HTH,
Brian

Relevant Pages

  • RE: SIMple SSL question ??
    ... "Remove the certificate request file and store the SSL certificate file in a ... The private key is not passed in the certificate request, ...
    (microsoft.public.dotnet.security)
  • RE: Problems enabling smart card login on windows 2000
    ... Bad Certificate; ... Troubleshooting Windows 2000 PKI Deployment and Smart Card Logon ... | - Installing a Windows 2000 Server as a Domain Controller ...
    (microsoft.public.win2000.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • Re: question about private certificate stored on smart card
    ... >> With Windows 2003 CA there is an option to archive user's private key. ... >> Archival is done automatically when certificate is issued. ... >> able to find out there are no smart card CSP available today that would ... > The software does allow recovery of smart card encryption certificates. ...
    (microsoft.public.win2000.security)