Re: Certificate attributes for Smart Card Logon

Thanks Brian.

unfortunately, as far as I know if you have the "Secure Email" application
Policy set, a certificate by default may not just be used for email
signature but also email encryption (Microsoft makes no difference)! This is
not what we are looking for --> we "try" have two different keypairs on the
smart card with the following purposes/application policies:

encryption keypair
- S/MIME (encryption only)
- Encrypting File System

authentication&signature keypair
- S/MIME (signature only)
- Client Authentication
- Smartcard Logon

I have to use the purpose "Signature" in the "Request Handling" tab for the
authentication&signature keypair due to our token management system, for
which the "Enroll subject without requiring any user input" field must be
selected. The "Application Policies" extensions then shows the 3 application
policies mentioned above. But then, the key usage settings "allow key
exchange only with key encryption (key encipherment)" is not selectable.
This is OK for secure email, because S/MIME encryption will not word with
this keypair (S/MIME signature will work).

Question: For smartcard logon, is it a must to select "allow key exchange
only with key encryption (key encipherment)"? If yes, then we have a problem
with the approach mentioned above...
Reason for the question: both default templates "smartcard logon" and
"smartcard user" have this setting set to on... However, I tested it in my
lab with a certificate template like the one mentioned above and see,
smartcard logon did work without the setting "allow key exchange only with
key encryption (key encipherment)". Is it just a coincidence?

Thanks, Chris



"Brian Komar (MVP)" <brian.komar@xxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:CCC07803-6BA7-4EFF-8241-CBD6D65E8BEF@xxxxxxxxxxxxxxxx
Just ensure that on the Request Handling tab that the Purpose is set to
Signature and Smartcard logon (rather than Signature and Encryption).
If you enable the Smart Card Logon, Client Authentication, and Secure
Email application Policies, this ensure that the smart card cannot be used
for actual encryption.
Brian

"Aumy" <nospam@xxxxxxxxxxxx> wrote in message
news:%23BYKMlVdJHA.5648@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I set up smart card logon to my windows 2003 domain for XP clients. I use
a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
controllers each already have their own certificates.

Question: the default certificate templates "smartcard logon" and
"smartcard user" both have the key usage settings "digital signature" and
"allow key exchange only with key encryption (key encipherment)" set.
However, the knowledge base article
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
that smart card certificates only need the "digital signature" key usage
attribute. But further down, the article also says that "...Smartcard
logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key
type...".

However, I tested both with and without "allow key exchange only with key
encryption (key encipherment)" set and both types of certificates work
for smart card logon!

So is there anybody out there who can tell me if smart card logon
certificates necessarily need the "key encipherment" attribute?

Thanks,
Chris

PS: we intend to use the same certificate for S/MIME signing (but not
encryption). So if "key encipherment" is set, this certificates can
unfortunately also be used for S/MIME encryption. So it would be nice if
smart card logon reliably works without the "key encipherment"
attribute...




.

Relevant Pages

  • Re: Certificate attributes for Smart Card Logon
    ... email signature but also email encryption (Microsoft makes no ... "allow key exchange only with key encryption (key encipherment)" is not ... These are V1 multipurpose certificates. ... If you enable the Smart Card Logon, Client Authentication, and Secure ...
    (microsoft.public.windows.server.security)
  • Re: Certificate attributes for Smart Card Logon
    ... unfortunately, as far as I know if you have the "Secure Email" application Policy set, a certificate by default may not just be used for email signature but also email encryption! ... If you enable the Smart Card Logon, Client Authentication, and Secure Email application Policies, this ensure that the smart card cannot be used for actual encryption. ... My domain controllers each already have their own certificates. ...
    (microsoft.public.windows.server.security)
  • Certificate attributes for Smart Card Logon
    ... I set up smart card logon to my windows 2003 domain for XP clients. ... controllers each already have their own certificates. ... exchange only with key encryption (key encipherment)" set. ...
    (microsoft.public.windows.server.security)
  • Re: Certificate attributes for Smart Card Logon
    ... Just ensure that on the Request Handling tab that the Purpose is set to Signature and Smartcard logon. ... If you enable the Smart Card Logon, Client Authentication, and Secure Email application Policies, this ensure that the smart card cannot be used for actual encryption. ... My domain controllers each already have their own certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Using Certificates for avoid piracy?
    ... I guess you are referring to the fact that many X.509 certificates ... contain a RSA public key that can be used for public key encryption, ... The PE file format allows a special signature to ...
    (borland.public.delphi.non-technical)
Loading