Certificate attributes for Smart Card Logon

> Hi,
> I set up smart card logon to my windows 2003 domain for XP clients. I use
> a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
> controllers each already have their own certificates.
> Question: the default certificate templates "smartcard logon" and
> "smartcard user" both have the key usage settings "digital signature" and
> "allow key exchange only with key encryption (key encipherment)" set.
> However, the knowledge base article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
> that smart card certificates only need the "digital signature" key usage
> attribute. But further down, the article also says that "...Smartcard
> logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key
> type...".
> However, I tested both with and without "allow key exchange only with key
> encryption (key encipherment)" set and both types of certificates work for
> smart card logon!
> So is there anybody out there who can tell me if smart card logon
> certificates necessarily need the "key encipherment" attribute?
> Thanks,
> Chris
> PS: we intend to use the same certificate for S/MIME signing (but not
> encryption). So if "key encipherment" is set, this certificates can
> unfortunately also be used for S/MIME encryption. So it would be nice if
> smart card logon reliably works without the "key encipherment"
> attribute...
>

not what we are looking for --> we "try" have two different keypairs on the

> Just ensure that on the Request Handling tab that the Purpose is set to
> Signature and Smartcard logon (rather than Signature and Encryption).
> If you enable the Smart Card Logon, Client Authentication, and Secure
> Email application Policies, this ensure that the smart card cannot be used
> for actual encryption.
> Brian
>> Hi,
>> I set up smart card logon to my windows 2003 domain for XP clients. I use
>> a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My domain
>> controllers each already have their own certificates.
>> Question: the default certificate templates "smartcard logon" and
>> "smartcard user" both have the key usage settings "digital signature" and
>> "allow key exchange only with key encryption (key encipherment)" set.
>> However, the knowledge base article
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
>> that smart card certificates only need the "digital signature" key usage
>> attribute. But further down, the article also says that "...Smartcard
>> logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key
>> type...".
>> However, I tested both with and without "allow key exchange only with key
>> encryption (key encipherment)" set and both types of certificates work
>> for smart card logon!
>> So is there anybody out there who can tell me if smart card logon
>> certificates necessarily need the "key encipherment" attribute?
>> Thanks,
>> Chris
>> PS: we intend to use the same certificate for S/MIME signing (but not
>> encryption). So if "key encipherment" is set, this certificates can
>> unfortunately also be used for S/MIME encryption. So it would be nice if
>> smart card logon reliably works without the "key encipherment"
>> attribute...
>

> Thanks Brian.
> unfortunately, as far as I know if you have the "Secure Email" application
> Policy set, a certificate by default may not just be used for email
> signature but also email encryption (Microsoft makes no difference)! This
> is not what we are looking for --> we "try" have two different keypairs on
> the smart card with the following purposes/application policies:
> encryption keypair
> - S/MIME (encryption only)
> - Encrypting File System
> authentication&signature keypair
> - S/MIME (signature only)
> - Client Authentication
> - Smartcard Logon
> I have to use the purpose "Signature" in the "Request Handling" tab for
> the authentication&signature keypair due to our token management system,
> for which the "Enroll subject without requiring any user input" field must
> be selected. The "Application Policies" extensions then shows the 3
> application policies mentioned above. But then, the key usage settings
> "allow key exchange only with key encryption (key encipherment)" is not
> selectable. This is OK for secure email, because S/MIME encryption will
> not word with this keypair (S/MIME signature will work).

really take this up with them and not blame the MS PKI <G>.

> Question: For smartcard logon, is it a must to select "allow key exchange
> only with key encryption (key encipherment)"? If yes, then we have a
> problem with the approach mentioned above...

> Reason for the question: both default templates "smartcard logon" and
> "smartcard user" have this setting set to on...

> lab with a certificate template like the one mentioned above and see,
> smartcard logon did work without the setting "allow key exchange only with
> key encryption (key encipherment)". Is it just a coincidence?

If you have tested it, then why are you asking all of these questions <G>?

> Thanks, Chris
>> Just ensure that on the Request Handling tab that the Purpose is set to
>> Signature and Smartcard logon (rather than Signature and Encryption).
>> If you enable the Smart Card Logon, Client Authentication, and Secure
>> Email application Policies, this ensure that the smart card cannot be
>> used for actual encryption.
>> Brian
>>> Hi,
>>> I set up smart card logon to my windows 2003 domain for XP clients. I
>>> use a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My
>>> domain controllers each already have their own certificates.
>>> Question: the default certificate templates "smartcard logon" and
>>> "smartcard user" both have the key usage settings "digital signature"
>>> and "allow key exchange only with key encryption (key encipherment)"
>>> set. However, the knowledge base article
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
>>> that smart card certificates only need the "digital signature" key usage
>>> attribute. But further down, the article also says that "...Smartcard
>>> logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key
>>> type...".
>>> However, I tested both with and without "allow key exchange only with
>>> key encryption (key encipherment)" set and both types of certificates
>>> work for smart card logon!
>>> So is there anybody out there who can tell me if smart card logon
>>> certificates necessarily need the "key encipherment" attribute?
>>> Thanks,
>>> Chris
>>> PS: we intend to use the same certificate for S/MIME signing (but not
>>> encryption). So if "key encipherment" is set, this certificates can
>>> unfortunately also be used for S/MIME encryption. So it would be nice if
>>> smart card logon reliably works without the "key encipherment"
>>> attribute...
>

> Answers inline...
>> Thanks Brian.
>> unfortunately, as far as I know if you have the "Secure Email"
>> application Policy set, a certificate by default may not just be used for
>> email signature but also email encryption (Microsoft makes no
>> difference)! This is not what we are looking for --> we "try" have two
>> different keypairs on the smart card with the following
>> purposes/application policies:
>> encryption keypair
>> - S/MIME (encryption only)
>> - Encrypting File System
>> authentication&signature keypair
>> - S/MIME (signature only)
>> - Client Authentication
>> - Smartcard Logon
>> I have to use the purpose "Signature" in the "Request Handling" tab for
>> the authentication&signature keypair due to our token management system,
>> for which the "Enroll subject without requiring any user input" field
>> must be selected. The "Application Policies" extensions then shows the 3
>> application policies mentioned above. But then, the key usage settings
>> "allow key exchange only with key encryption (key encipherment)" is not
>> selectable. This is OK for secure email, because S/MIME encryption will
>> not word with this keypair (S/MIME signature will work).
> Well, this is a problem with your Token Management System then. You should
> really take this up with them and not blame the MS PKI <G>.
>> Question: For smartcard logon, is it a must to select "allow key exchange
>> only with key encryption (key encipherment)"? If yes, then we have a
>> problem with the approach mentioned above...
> No, if you had at created the certificate template as I recommended, you
> would see that only Digital Signature is enabled, which prevents the use
> of the SMIME application policy for SMIME encryption.
>> Reason for the question: both default templates "smartcard logon" and
>> "smartcard user" have this setting set to on...
> These are V1 multipurpose certificates.
> However, I tested it in my
>> lab with a certificate template like the one mentioned above and see,
>> smartcard logon did work without the setting "allow key exchange only
>> with key encryption (key encipherment)". Is it just a coincidence?
> If you have tested it, then why are you asking all of these questions <G>?
> Without out the allow key exchange option enabled, then you would not be
> able to do SMIME encryption.
>> Thanks, Chris
>>> Just ensure that on the Request Handling tab that the Purpose is set to
>>> Signature and Smartcard logon (rather than Signature and Encryption).
>>> If you enable the Smart Card Logon, Client Authentication, and Secure
>>> Email application Policies, this ensure that the smart card cannot be
>>> used for actual encryption.
>>> Brian
>>>> Hi,
>>>> I set up smart card logon to my windows 2003 domain for XP clients. I
>>>> use a AD-integrated Microsoft Enterprise CA 2003 as issuing CA. My
>>>> domain controllers each already have their own certificates.
>>>> Question: the default certificate templates "smartcard logon" and
>>>> "smartcard user" both have the key usage settings "digital signature"
>>>> and "allow key exchange only with key encryption (key encipherment)"
>>>> set. However, the knowledge base article
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281245 explains
>>>> that smart card certificates only need the "digital signature" key
>>>> usage attribute. But further down, the article also says that
>>>> "...Smartcard logon certificates must have a Key
>>>> Exchange(AT_KEYEXCHANGE) private key type...".
>>>> However, I tested both with and without "allow key exchange only with
>>>> key encryption (key encipherment)" set and both types of certificates
>>>> work for smart card logon!
>>>> So is there anybody out there who can tell me if smart card logon
>>>> certificates necessarily need the "key encipherment" attribute?
>>>> Thanks,
>>>> Chris
>>>> PS: we intend to use the same certificate for S/MIME signing (but not
>>>> encryption). So if "key encipherment" is set, this certificates can
>>>> unfortunately also be used for S/MIME encryption. So it would be nice
>>>> if smart card logon reliably works without the "key encipherment"
>>>> attribute...
>