Click here to get back home

Multiple Certs on Smartcard and Windows Smartcard Logon
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Multiple Certs on Smartcard and Windows Smartcard Logon Dave Wø6¯ygb±Ë¬²*'²hœ®‹(~×( 07-08-2005
Posted by Dave Wø6¯ygb±Ë¬²*'²hœ®‹(~×( on July 8, 2005, 8:01 am
Please log in for more thread options
 I've a set of requirements that a customer has asked me to engineer a
solution for... but need some advice.

Users will have smartcards for storing multiple key pairs / certificates.
They will have as a minimum, a user non-repudiation signing key & cert, a
role (bit like a job title) non-repudiation signing key and cert and a
smartcard logon key pair and cert.

My question is... is the Windows SmartCard logon "intelligent" enough to
select the correct authentication key pair (I'm sort of guessing that it can
look in the certificates' key usage for a smartcard logon usage (OID?)).

Any advice would be extremely welcome.

Regards,

Dave


Posted by Brian Komar on July 10, 2005, 11:32 pm
Please log in for more thread options
 DaveW@discussions.microsoft.com says...
> I've a set of requirements that a customer has asked me to engineer a
> solution for... but need some advice.
>
> Users will have smartcards for storing multiple key pairs / certificates.
> They will have as a minimum, a user non-repudiation signing key & cert, a
> role (bit like a job title) non-repudiation signing key and cert and a
> smartcard logon key pair and cert.
>
> My question is... is the Windows SmartCard logon "intelligent" enough to
> select the correct authentication key pair (I'm sort of guessing that it can
> look in the certificates' key usage for a smartcard logon usage (OID?)).
>
> Any advice would be extremely welcome.
>
> Regards,
>
> Dave
>

No. The authentication certificate and key pair must be stored on Slot 0
of the smart card. If you want a user to have a "normal" logon
certificate and a "role" logon certificate, you will have to implement
two smart cards, one for each role.

You can have multiple certificates on a smart card. For example, you
could add:
- S/MIME signing
- S/MIME encryption
- Code Signing
- Document Signing
- Key Recovery
etc. Anything except EFS encryption and EFS recovery (which are not
supported on smart cards)

In the future, there are plans to allow multiple authentication certs on
a single smart card, but that would only be in the Longhorn time frame.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


Similar ThreadsPosted
Cannot Logon using Smartcard October 28, 2005, 11:55 pm
Smartcard logon with third-party CA without MS CA May 13, 2006, 2:01 am
Smartcard logon and certification authority December 2, 2005, 4:29 am
AD GetObject fails in ASP page when using smartcard logon June 14, 2005, 6:07 pm
userCertificate in user's entry for smartcard logon February 25, 2007, 1:47 pm
Smartcard / NTFS Encryption May 13, 2007, 7:37 pm
Smartcard for multi-factor authentication March 2, 2006, 10:01 am
IAS + user smartcard + workstation certificate July 6, 2007, 9:48 am
Firewall setting for multiple FTP sites using multiple ports September 12, 2006, 12:35 pm
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap