Re: Certificate attributes for Smart Card Logon

Answers inline...

"Aumy" <nospam@xxxxxxxxxxxx> wrote in message news:ugi%23lgjdJHA.4412@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Brian.

unfortunately, as far as I know if you have the "Secure Email" application Policy set, a certificate by default may not just be used for email signature but also email encryption (Microsoft makes no difference)! This is not what we are looking for --> we "try" have two different keypairs on the smart card with the following purposes/application policies:

encryption keypair
- S/MIME (encryption only)
- Encrypting File System

authentication&signature keypair
- S/MIME (signature only)
- Client Authentication
- Smartcard Logon

I have to use the purpose "Signature" in the "Request Handling" tab for the authentication&signature keypair due to our token management system, for which the "Enroll subject without requiring any user input" field must be selected. The "Application Policies" extensions then shows the 3 application policies mentioned above. But then, the key usage settings "allow key exchange only with key encryption (key encipherment)" is not selectable. This is OK for secure email, because S/MIME encryption will not word with this keypair (S/MIME signature will work).

Well, this is a problem with your Token Management System then. You should really take this up with them and not blame the MS PKI <G>.


Question: For smartcard logon, is it a must to select "allow key exchange only with key encryption (key encipherment)"? If yes, then we have a problem with the approach mentioned above...

No, if you had at created the certificate template as I recommended, you would see that only Digital Signature is enabled, which prevents the use of the SMIME application policy for SMIME encryption.

Reason for the question: both default templates "smartcard logon" and "smartcard user" have this setting set to on...
These are V1 multipurpose certificates.

However, I tested it in my
lab with a certificate template like the one mentioned above and see, smartcard logon did work without the setting "allow key exchange only with key encryption (key encipherment)". Is it just a coincidence?

If you have tested it, then why are you asking all of these questions <G>? Without out the allow key exchange option enabled, then you would not be able to do SMIME encryption.

Thanks, Chris



"Brian Komar (MVP)" <brian.komar@xxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag news:CCC07803-6BA7-4EFF-8241-CBD6D65E8BEF@xxxxxxxxxxxxxxxx
Just ensure that on the Request Handling tab that the Purpose is set to Signature and Smartcard logon (rather than Signature and Encryption).
If you enable the Smart Card Logon, Client Authentication, and Secure Email application Policies, this ensure that the smart card cannot be used for actual encryption.
Brian

"Aumy" <nospam@xxxxxxxxxxxx> wrote in message news:%23BYKMlVdJHA.5648@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I set up smart card logon to my windows 2003 domain for XP clients. I use a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain controllers each already have their own certificates.

Question: the default certificate templates "smartcard logon" and "smartcard user" both have the key usage settings "digital signature" and "allow key exchange only with key encryption (key encipherment)" set. However, the knowledge base article http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains that smart card certificates only need the "digital signature" key usage attribute. But further down, the article also says that "...Smartcard logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type...".

However, I tested both with and without "allow key exchange only with key encryption (key encipherment)" set and both types of certificates work for smart card logon!

So is there anybody out there who can tell me if smart card logon certificates necessarily need the "key encipherment" attribute?

Thanks,
Chris

PS: we intend to use the same certificate for S/MIME signing (but not encryption). So if "key encipherment" is set, this certificates can unfortunately also be used for S/MIME encryption. So it would be nice if smart card logon reliably works without the "key encipherment" attribute...





.

Relevant Pages

  • Re: Certificate attributes for Smart Card Logon
    ... email signature but also email encryption (Microsoft makes no ... "allow key exchange only with key encryption (key encipherment)" is not ... These are V1 multipurpose certificates. ... If you enable the Smart Card Logon, Client Authentication, and Secure ...
    (microsoft.public.windows.server.security)
  • Re: Certificate attributes for Smart Card Logon
    ... signature but also email encryption! ... If you enable the Smart Card Logon, Client Authentication, and Secure ... controllers each already have their own certificates. ...
    (microsoft.public.windows.server.security)
  • Certificate attributes for Smart Card Logon
    ... I set up smart card logon to my windows 2003 domain for XP clients. ... controllers each already have their own certificates. ... exchange only with key encryption (key encipherment)" set. ...
    (microsoft.public.windows.server.security)
  • Re: Certificate attributes for Smart Card Logon
    ... Just ensure that on the Request Handling tab that the Purpose is set to Signature and Smartcard logon. ... If you enable the Smart Card Logon, Client Authentication, and Secure Email application Policies, this ensure that the smart card cannot be used for actual encryption. ... My domain controllers each already have their own certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Using Certificates for avoid piracy?
    ... I guess you are referring to the fact that many X.509 certificates ... contain a RSA public key that can be used for public key encryption, ... The PE file format allows a special signature to ...
    (borland.public.delphi.non-technical)