Active Directory Certificate Services enrollment problems

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Active Directory Certificate Services enrollment problems

Matt Campbell
When I attempt to enroll a user for a smart card login certificate, Windows tells me that the smart card is read-only[1]. I'm running Windows Server 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the instructions on the GitHub wiki. Any help is appreciated.

[1] http://i.coreduo.me.uk/U4FuFqe.png

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Andreas Schwier (ML)
Dear Matt,

Windows is right, the minidriver is currently a read-only driver.

The minidriver is currently enhanced with EC support and the
authentication mechanism have changed. See [1] for details.

I suggest you try an older version of OpenSC or track the latest
development in the pull request.

Would be great if you could supply logs while you test.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/566

On 09/29/2015 09:58 AM, Matt Campbell wrote:

> When I attempt to enroll a user for a smart card login certificate, Windows
> tells me that the smart card is read-only[1]. I'm running Windows Server
> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
> instructions on the GitHub wiki. Any help is appreciated.
>
> [1] http://i.coreduo.me.uk/U4FuFqe.png
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Douglas E Engert
An alternative way to do this until the minidriver can handle writing to a card:
  (1) generate private key on card
  (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format
  (3) cut-and-paste request into the AD CA web page to request certificate.
  (4) Save certificate from the CA.
  (5) write the certificate to the card.

One of the last tings I did before retiring was to setup a proof-of-concept system to issue
temporary cards for uses who either are waiting for an official PIV card or forgot their card at home.

Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps.

3 and 4 were done by an AD admin on Windows 7 and transferred.
Step 3 also requires an CA template  that added the Windows smartcard login extension.

Check if step 2 could be done by the sc-hsm-tool.


On 9/29/2015 3:09 AM, Andreas Schwier wrote:

> Dear Matt,
>
> Windows is right, the minidriver is currently a read-only driver.
>
> The minidriver is currently enhanced with EC support and the
> authentication mechanism have changed. See [1] for details.
>
> I suggest you try an older version of OpenSC or track the latest
> development in the pull request.
>
> Would be great if you could supply logs while you test.
>
> Andreas
>
> [1] https://github.com/OpenSC/OpenSC/pull/566
>
> On 09/29/2015 09:58 AM, Matt Campbell wrote:
>> When I attempt to enroll a user for a smart card login certificate, Windows
>> tells me that the smart card is read-only[1]. I'm running Windows Server
>> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
>> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
>> instructions on the GitHub wiki. Any help is appreciated.
>>
>> [1] http://i.coreduo.me.uk/U4FuFqe.png
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Matt Campbell
In reply to this post by Andreas Schwier (ML)
Hello, Andreas.

I guess I was under the impression that the minidriver had write support too. I used a development version of OpenSC because it seems that the latest release (0.15) does not install properly on Windows 8.1/Server 2012 R2. The installer successfully completes but none of the files are there.

On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier <[hidden email]> wrote:
Dear Matt,

Windows is right, the minidriver is currently a read-only driver.

The minidriver is currently enhanced with EC support and the
authentication mechanism have changed. See [1] for details.

I suggest you try an older version of OpenSC or track the latest
development in the pull request.

Would be great if you could supply logs while you test.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/566

On 09/29/2015 09:58 AM, Matt Campbell wrote:
> When I attempt to enroll a user for a smart card login certificate, Windows
> tells me that the smart card is read-only[1]. I'm running Windows Server
> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
> instructions on the GitHub wiki. Any help is appreciated.
>
> [1] http://i.coreduo.me.uk/U4FuFqe.png
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone <a href="tel:%2B49%20571%2056149" value="+4957156149">+49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Vincent Le Toux
Hi Matt,

I'm working on the minidriver.
I confirm that the minidriver has partial write support but only when a flag is actived.
In addition to the ECC support (see https://github.com/OpenSC/OpenSC/pull/566), I'm working on that.

Can you explain to me why you think that the minidriver installation is not working anymore ?
I've solved the problem related to the minidriver configuration / installation (requesting the installation of a driver until disabled) but on my opinion, there is no problem with the installation.
Did you mean the x86 / x64 installer problem ? (32 bits version not available to 64 bits applications)

Vincent

2015-09-29 16:52 GMT+02:00 Matt Campbell <[hidden email]>:
Hello, Andreas.

I guess I was under the impression that the minidriver had write support too. I used a development version of OpenSC because it seems that the latest release (0.15) does not install properly on Windows 8.1/Server 2012 R2. The installer successfully completes but none of the files are there.

On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier <[hidden email]> wrote:
Dear Matt,

Windows is right, the minidriver is currently a read-only driver.

The minidriver is currently enhanced with EC support and the
authentication mechanism have changed. See [1] for details.

I suggest you try an older version of OpenSC or track the latest
development in the pull request.

Would be great if you could supply logs while you test.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/566

On 09/29/2015 09:58 AM, Matt Campbell wrote:
> When I attempt to enroll a user for a smart card login certificate, Windows
> tells me that the smart card is read-only[1]. I'm running Windows Server
> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
> instructions on the GitHub wiki. Any help is appreciated.
>
> [1] http://i.coreduo.me.uk/U4FuFqe.png
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone <a href="tel:%2B49%20571%2056149" value="+4957156149" target="_blank">+49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel




--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Matt Campbell
Hi Vincent,

For some reason the driver wasn't getting installed in my virtual Server 2012 R2 environment, but on my Windows 8.1 machine it seems to work fine. I'm not sure what the problem was.

On Tue, Sep 29, 2015 at 10:06 AM, Vincent Le Toux <[hidden email]> wrote:
Hi Matt,

I'm working on the minidriver.
I confirm that the minidriver has partial write support but only when a flag is actived.
In addition to the ECC support (see https://github.com/OpenSC/OpenSC/pull/566), I'm working on that.

Can you explain to me why you think that the minidriver installation is not working anymore ?
I've solved the problem related to the minidriver configuration / installation (requesting the installation of a driver until disabled) but on my opinion, there is no problem with the installation.
Did you mean the x86 / x64 installer problem ? (32 bits version not available to 64 bits applications)

Vincent

2015-09-29 16:52 GMT+02:00 Matt Campbell <[hidden email]>:
Hello, Andreas.

I guess I was under the impression that the minidriver had write support too. I used a development version of OpenSC because it seems that the latest release (0.15) does not install properly on Windows 8.1/Server 2012 R2. The installer successfully completes but none of the files are there.

On Tue, Sep 29, 2015 at 3:09 AM, Andreas Schwier <[hidden email]> wrote:
Dear Matt,

Windows is right, the minidriver is currently a read-only driver.

The minidriver is currently enhanced with EC support and the
authentication mechanism have changed. See [1] for details.

I suggest you try an older version of OpenSC or track the latest
development in the pull request.

Would be great if you could supply logs while you test.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/566

On 09/29/2015 09:58 AM, Matt Campbell wrote:
> When I attempt to enroll a user for a smart card login certificate, Windows
> tells me that the smart card is read-only[1]. I'm running Windows Server
> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
> instructions on the GitHub wiki. Any help is appreciated.
>
> [1] http://i.coreduo.me.uk/U4FuFqe.png
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone <a href="tel:%2B49%20571%2056149" value="+4957156149" target="_blank">+49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel




--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Matt Campbell
In reply to this post by Douglas E Engert
Hi Douglas,

Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong?

openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640

On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <[hidden email]> wrote:
An alternative way to do this until the minidriver can handle writing to a card:
  (1) generate private key on card
  (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format
  (3) cut-and-paste request into the AD CA web page to request certificate.
  (4) Save certificate from the CA.
  (5) write the certificate to the card.

One of the last tings I did before retiring was to setup a proof-of-concept system to issue
temporary cards for uses who either are waiting for an official PIV card or forgot their card at home.

Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps.

3 and 4 were done by an AD admin on Windows 7 and transferred.
Step 3 also requires an CA template  that added the Windows smartcard login extension.

Check if step 2 could be done by the sc-hsm-tool.


On 9/29/2015 3:09 AM, Andreas Schwier wrote:
> Dear Matt,
>
> Windows is right, the minidriver is currently a read-only driver.
>
> The minidriver is currently enhanced with EC support and the
> authentication mechanism have changed. See [1] for details.
>
> I suggest you try an older version of OpenSC or track the latest
> development in the pull request.
>
> Would be great if you could supply logs while you test.
>
> Andreas
>
> [1] https://github.com/OpenSC/OpenSC/pull/566
>
> On 09/29/2015 09:58 AM, Matt Campbell wrote:
>> When I attempt to enroll a user for a smart card login certificate, Windows
>> tells me that the smart card is read-only[1]. I'm running Windows Server
>> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
>> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
>> instructions on the GitHub wiki. Any help is appreciated.
>>
>> [1] http://i.coreduo.me.uk/U4FuFqe.png
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Douglas E Engert
In reply to this post by Douglas E Engert
I have only created certificates for users on the card.

So you are trying to place a server certificate on the card?
Is this server certificate to be used for a Windows service of some kind, or
a something like a web server on linux?

If you have a server with a certificate which is now in software, dump the certificate and look at the extensions
Microsoft uses in its server certificates.

The Microsoft CA has templates for creating certificates that can add some of the extensions.
IIRC, the template can also copy some of the extensions from the request.

I don't have an AD  CA environment any more, so can not test much.

I would use a special openssl.conf that would be run through "sed" that contained:

req_extensions = v3_req@@TYPE@@ # The extensions to add to a certificate request
commonName = @@CN@@

[ v3_req9A ]

# Extensions to add to a certificate request for login

#basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=otherName:msUPN;UTF8:@@UPN@@

[ v3_req9D ]
# Extensions to add to a certificate request for encrypt
#basicConstraints = CA:FALSE
keyUsage = critical, keyEncipherment
subjectAltName=email:@@EMAIL@@

[ v3_req9C ]
# Extensions to add to a certificate request for signed email
#basicConstraints = CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature
subjectAltName=email:@@EMAIL@@


sed was used from a script to replace the @@XX@@ with values to be in the new cert.
@@TYPE@@  would be 9A, 9C or 9D  that matched the 3 keys used on a PIV card
and thus selected one of the v3_reqXX to get the extensions and values set for type of certificate.

When using certutil each user has their own store. A server certificate would be in some system store,
not sure where.

Do the OpenSC tools show a certificate on the card?


On 10/2/2015 3:23 PM, Matt Campbell wrote:

> Hi Douglas,
>
> Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find
> any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong?
>
> openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640
>
> On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>     An alternative way to do this until the minidriver can handle writing to a card:
>        (1) generate private key on card
>        (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format
>        (3) cut-and-paste request into the AD CA web page to request certificate.
>        (4) Save certificate from the CA.
>        (5) write the certificate to the card.
>
>     One of the last tings I did before retiring was to setup a proof-of-concept system to issue
>     temporary cards for uses who either are waiting for an official PIV card or forgot their card at home.
>
>     Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps.
>
>     3 and 4 were done by an AD admin on Windows 7 and transferred.
>     Step 3 also requires an CA template  that added the Windows smartcard login extension.
>
>     Check if step 2 could be done by the sc-hsm-tool.
>
>
>     On 9/29/2015 3:09 AM, Andreas Schwier wrote:
>     > Dear Matt,
>     >
>     > Windows is right, the minidriver is currently a read-only driver.
>     >
>     > The minidriver is currently enhanced with EC support and the
>     > authentication mechanism have changed. See [1] for details.
>     >
>     > I suggest you try an older version of OpenSC or track the latest
>     > development in the pull request.
>     >
>     > Would be great if you could supply logs while you test.
>     >
>     > Andreas
>     >
>     > [1]https://github.com/OpenSC/OpenSC/pull/566
>     >
>     > On 09/29/2015 09:58 AM, Matt Campbell wrote:
>     >> When I attempt to enroll a user for a smart card login certificate, Windows
>     >> tells me that the smart card is read-only[1]. I'm running Windows Server
>     >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
>     >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
>     >> instructions on the GitHub wiki. Any help is appreciated.
>     >>
>     >> [1]http://i.coreduo.me.uk/U4FuFqe.png
>     >>
>     >>
>     >>
>     >> ------------------------------------------------------------------------------
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Opensc-devel mailing list
>     >>[hidden email] <mailto:[hidden email]>
>     >>https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >>
>     >
>     >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Vincent Le Toux
@Douglas, are you sure that the certificate request was to be stored as a computer account ?

Well copy/paste the output of certutil -scinfo will help a lot.
The message "couldn't find any valid certificates" means that the minidriver couldn't find a certificate associated to a public/key pair.
That could mean that the certificate wasn't properly saved to the smart card (wrong reference / id / label).
Then if the certificate / subject is wrong, it will fail later with a more meaningful error message.

Note: you can check the OpenSSL request by renaming the file to .cer and double click on it on Windows or within OpenSSL itself.

Note about computer accounts:
When a certificate is used by the computer account (opposed to the user account), it is stored in the computer certificate store (mmc-> certificate-> computer store)
Inside the certificate properties, you have a reference to the CSP/KSP (CertGetCertificateContextProperty[CERT_KEY_PROV_INFO_PROP_ID]) => it makes the link with the smart card (the gray key icon)
However most of the applications (like IIS) won't work with smart card certificates because they can't issue a dialog to enter the PIN => the PIN needs to be set in a configuration file and the application designed for that.

regards,
Vincent

2015-10-03 0:15 GMT+02:00 Douglas E Engert <[hidden email]>:
I have only created certificates for users on the card.

So you are trying to place a server certificate on the card?
Is this server certificate to be used for a Windows service of some kind, or
a something like a web server on linux?

If you have a server with a certificate which is now in software, dump the certificate and look at the extensions
Microsoft uses in its server certificates.

The Microsoft CA has templates for creating certificates that can add some of the extensions.
IIRC, the template can also copy some of the extensions from the request.

I don't have an AD  CA environment any more, so can not test much.

I would use a special openssl.conf that would be run through "sed" that contained:

req_extensions = v3_req@@TYPE@@ # The extensions to add to a certificate request
commonName                      = @@CN@@

[ v3_req9A ]

# Extensions to add to a certificate request for login

#basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=otherName:msUPN;UTF8:@@UPN@@

[ v3_req9D ]
# Extensions to add to a certificate request for encrypt
#basicConstraints = CA:FALSE
keyUsage = critical, keyEncipherment
subjectAltName=email:@@EMAIL@@

[ v3_req9C ]
# Extensions to add to a certificate request for signed email
#basicConstraints = CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature
subjectAltName=email:@@EMAIL@@


sed was used from a script to replace the @@XX@@ with values to be in the new cert.
@@TYPE@@  would be 9A, 9C or 9D  that matched the 3 keys used on a PIV card
and thus selected one of the v3_reqXX to get the extensions and values set for type of certificate.

When using certutil each user has their own store. A server certificate would be in some system store,
not sure where.

Do the OpenSC tools show a certificate on the card?


On 10/2/2015 3:23 PM, Matt Campbell wrote:
> Hi Douglas,
>
> Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find
> any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong?
>
> openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640
>
> On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>     An alternative way to do this until the minidriver can handle writing to a card:
>        (1) generate private key on card
>        (2) Uses openssl and engine_pkcs11 to generate a certificate request in PEM format
>        (3) cut-and-paste request into the AD CA web page to request certificate.
>        (4) Save certificate from the CA.
>        (5) write the certificate to the card.
>
>     One of the last tings I did before retiring was to setup a proof-of-concept system to issue
>     temporary cards for uses who either are waiting for an official PIV card or forgot their card at home.
>
>     Steps 1, 2 and 5 were done on a virtual Linux system running under Windows along with other card management steps.
>
>     3 and 4 were done by an AD admin on Windows 7 and transferred.
>     Step 3 also requires an CA template  that added the Windows smartcard login extension.
>
>     Check if step 2 could be done by the sc-hsm-tool.
>
>
>     On 9/29/2015 3:09 AM, Andreas Schwier wrote:
>     > Dear Matt,
>     >
>     > Windows is right, the minidriver is currently a read-only driver.
>     >
>     > The minidriver is currently enhanced with EC support and the
>     > authentication mechanism have changed. See [1] for details.
>     >
>     > I suggest you try an older version of OpenSC or track the latest
>     > development in the pull request.
>     >
>     > Would be great if you could supply logs while you test.
>     >
>     > Andreas
>     >
>     > [1]https://github.com/OpenSC/OpenSC/pull/566
>     >
>     > On 09/29/2015 09:58 AM, Matt Campbell wrote:
>     >> When I attempt to enroll a user for a smart card login certificate, Windows
>     >> tells me that the smart card is read-only[1]. I'm running Windows Server
>     >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a Smartcard-HSM card and
>     >> Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the
>     >> instructions on the GitHub wiki. Any help is appreciated.
>     >>
>     >> [1]http://i.coreduo.me.uk/U4FuFqe.png
>     >>
>     >>
>     >>
>     >> ------------------------------------------------------------------------------
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Opensc-devel mailing list
>     >>[hidden email] <mailto:[hidden email]>
>     >>https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >>
>     >
>     >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Kenneth Benson
One thing I've noticed from other drivers/programs using certs being put
on cards is they almost always want it in the der internal format. If
the cert you put an the card was pem format, it might not be being read
correctly. A possibility?

Kenneth Benson

On 10/3/2015 3:04 AM, Vincent Le Toux wrote:

> @Douglas, are you sure that the certificate request was to be stored as
> a computer account ?
>
> Well copy/paste the output of certutil -scinfo will help a lot.
> The message "couldn't find any valid certificates" means that the
> minidriver couldn't find a certificate associated to a public/key pair.
> That could mean that the certificate wasn't properly saved to the smart
> card (wrong reference / id / label).
> Then if the certificate / subject is wrong, it will fail later with a
> more meaningful error message.
>
> Note: you can check the OpenSSL request by renaming the file to .cer and
> double click on it on Windows or within OpenSSL itself.
>
> Note about computer accounts:
> When a certificate is used by the computer account (opposed to the user
> account), it is stored in the computer certificate store (mmc->
> certificate-> computer store)
> Inside the certificate properties, you have a reference to the CSP/KSP
> (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it
> makes the link with the smart card (the gray key icon)
> However most of the applications (like IIS) won't work with smart card
> certificates because they can't issue a dialog to enter the PIN => the
> PIN needs to be set in a configuration file and the application designed
> for that.
>
> regards,
> Vincent
>
> 2015-10-03 0:15 GMT+02:00 Douglas E Engert <[hidden email]
> <mailto:[hidden email]>>:
>
>     I have only created certificates for users on the card.
>
>     So you are trying to place a server certificate on the card?
>     Is this server certificate to be used for a Windows service of some
>     kind, or
>     a something like a web server on linux?
>
>     If you have a server with a certificate which is now in software,
>     dump the certificate and look at the extensions
>     Microsoft uses in its server certificates.
>
>     The Microsoft CA has templates for creating certificates that can
>     add some of the extensions.
>     IIRC, the template can also copy some of the extensions from the
>     request.
>
>     I don't have an AD  CA environment any more, so can not test much.
>
>     I would use a special openssl.conf that would be run through "sed"
>     that contained:
>
>     req_extensions = v3_req@@TYPE@@ # The extensions to add to a
>     certificate request
>     commonName                      = @@CN@@
>
>     [ v3_req9A ]
>
>     # Extensions to add to a certificate request for login
>
>     #basicConstraints = CA:FALSE
>     #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>     subjectAltName=otherName:msUPN;UTF8:@@UPN@@
>
>     [ v3_req9D ]
>     # Extensions to add to a certificate request for encrypt
>     #basicConstraints = CA:FALSE
>     keyUsage = critical, keyEncipherment
>     subjectAltName=email:@@EMAIL@@
>
>     [ v3_req9C ]
>     # Extensions to add to a certificate request for signed email
>     #basicConstraints = CA:FALSE
>     keyUsage = critical, nonRepudiation, digitalSignature
>     subjectAltName=email:@@EMAIL@@
>
>
>     sed was used from a script to replace the @@XX@@ with values to be
>     in the new cert.
>     @@TYPE@@  would be 9A, 9C or 9D  that matched the 3 keys used on a
>     PIV card
>     and thus selected one of the v3_reqXX to get the extensions and
>     values set for type of certificate.
>
>     When using certutil each user has their own store. A server
>     certificate would be in some system store,
>     not sure where.
>
>     Do the OpenSC tools show a certificate on the card?
>
>
>     On 10/2/2015 3:23 PM, Matt Campbell wrote:
>     > Hi Douglas,
>     >
>     > Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find
>     > any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong?
>     >
>     > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640
>     >
>     > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert
>     <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     An alternative way to do this until the minidriver can handle
>     writing to a card:
>     >        (1) generate private key on card
>     >        (2) Uses openssl and engine_pkcs11 to generate a
>     certificate request in PEM format
>     >        (3) cut-and-paste request into the AD CA web page to
>     request certificate.
>     >        (4) Save certificate from the CA.
>     >        (5) write the certificate to the card.
>     >
>     >     One of the last tings I did before retiring was to setup a
>     proof-of-concept system to issue
>     >     temporary cards for uses who either are waiting for an
>     official PIV card or forgot their card at home.
>     >
>     >     Steps 1, 2 and 5 were done on a virtual Linux system running
>     under Windows along with other card management steps.
>     >
>     >     3 and 4 were done by an AD admin on Windows 7 and transferred.
>     >     Step 3 also requires an CA template  that added the Windows
>     smartcard login extension.
>     >
>     >     Check if step 2 could be done by the sc-hsm-tool.
>     >
>     >
>     >     On 9/29/2015 3:09 AM, Andreas Schwier wrote:
>     >     > Dear Matt,
>     >     >
>     >     > Windows is right, the minidriver is currently a read-only
>     driver.
>     >     >
>     >     > The minidriver is currently enhanced with EC support and the
>     >     > authentication mechanism have changed. See [1] for details.
>     >     >
>     >     > I suggest you try an older version of OpenSC or track the latest
>     >     > development in the pull request.
>     >     >
>     >     > Would be great if you could supply logs while you test.
>     >     >
>     >     > Andreas
>     >     >
>     >     > [1]https://github.com/OpenSC/OpenSC/pull/566
>     >     >
>     >     > On 09/29/2015 09:58 AM, Matt Campbell wrote:
>     >     >> When I attempt to enroll a user for a smart card login
>     certificate, Windows
>     >     >> tells me that the smart card is read-only[1]. I'm running
>     Windows Server
>     >     >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a
>     Smartcard-HSM card and
>     >     >> Identiv/SCM Microsystems SCR331 card reader. I've
>     initialized it per the
>     >     >> instructions on the GitHub wiki. Any help is appreciated.
>     >     >>
>     >     >> [1]http://i.coreduo.me.uk/U4FuFqe.png
>     >     >>
>     >     >>
>     >     >>
>     >     >>
>     ------------------------------------------------------------------------------
>     >     >>
>     >     >>
>     >     >>
>     >     >> _______________________________________________
>     >     >> Opensc-devel mailing list
>     >     >>[hidden email]
>     <mailto:[hidden email]>
>     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >>https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >     >>
>     >     >
>     >     >
>     >
>     >     --
>     >
>     >        Douglas E. Engert  <[hidden email]
>     <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >
>     >
>     >     ------------------------------------------------------------------------------
>     >     _______________________________________________
>     >     Opensc-devel mailing list
>     >     [hidden email]
>     <mailto:[hidden email]>
>     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >
>     >
>
>     --
>
>       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
>
> --
> --
> Vincent Le Toux
>
> My Smart Logon
> www.mysmartlogon.com <http://www.mysmartlogon.com/>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Vincent Le Toux
yes it is a possibility.

What certutil -scinfo / pkcs15-tool -D are returning ?

2015-10-03 19:01 GMT+02:00 Kenneth Benson <[hidden email]>:
One thing I've noticed from other drivers/programs using certs being put
on cards is they almost always want it in the der internal format. If
the cert you put an the card was pem format, it might not be being read
correctly. A possibility?

Kenneth Benson

On 10/3/2015 3:04 AM, Vincent Le Toux wrote:
> @Douglas, are you sure that the certificate request was to be stored as
> a computer account ?
>
> Well copy/paste the output of certutil -scinfo will help a lot.
> The message "couldn't find any valid certificates" means that the
> minidriver couldn't find a certificate associated to a public/key pair.
> That could mean that the certificate wasn't properly saved to the smart
> card (wrong reference / id / label).
> Then if the certificate / subject is wrong, it will fail later with a
> more meaningful error message.
>
> Note: you can check the OpenSSL request by renaming the file to .cer and
> double click on it on Windows or within OpenSSL itself.
>
> Note about computer accounts:
> When a certificate is used by the computer account (opposed to the user
> account), it is stored in the computer certificate store (mmc->
> certificate-> computer store)
> Inside the certificate properties, you have a reference to the CSP/KSP
> (CertGetCertificateContextProperty[*CERT_KEY_PROV_INFO_PROP_ID*]) => it
> makes the link with the smart card (the gray key icon)
> However most of the applications (like IIS) won't work with smart card
> certificates because they can't issue a dialog to enter the PIN => the
> PIN needs to be set in a configuration file and the application designed
> for that.
>
> regards,
> Vincent
>
> 2015-10-03 0:15 GMT+02:00 Douglas E Engert <[hidden email]
> <mailto:[hidden email]>>:
>
>     I have only created certificates for users on the card.
>
>     So you are trying to place a server certificate on the card?
>     Is this server certificate to be used for a Windows service of some
>     kind, or
>     a something like a web server on linux?
>
>     If you have a server with a certificate which is now in software,
>     dump the certificate and look at the extensions
>     Microsoft uses in its server certificates.
>
>     The Microsoft CA has templates for creating certificates that can
>     add some of the extensions.
>     IIRC, the template can also copy some of the extensions from the
>     request.
>
>     I don't have an AD  CA environment any more, so can not test much.
>
>     I would use a special openssl.conf that would be run through "sed"
>     that contained:
>
>     req_extensions = v3_req@@TYPE@@ # The extensions to add to a
>     certificate request
>     commonName                      = @@CN@@
>
>     [ v3_req9A ]
>
>     # Extensions to add to a certificate request for login
>
>     #basicConstraints = CA:FALSE
>     #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>     subjectAltName=otherName:msUPN;UTF8:@@UPN@@
>
>     [ v3_req9D ]
>     # Extensions to add to a certificate request for encrypt
>     #basicConstraints = CA:FALSE
>     keyUsage = critical, keyEncipherment
>     subjectAltName=email:@@EMAIL@@
>
>     [ v3_req9C ]
>     # Extensions to add to a certificate request for signed email
>     #basicConstraints = CA:FALSE
>     keyUsage = critical, nonRepudiation, digitalSignature
>     subjectAltName=email:@@EMAIL@@
>
>
>     sed was used from a script to replace the @@XX@@ with values to be
>     in the new cert.
>     @@TYPE@@  would be 9A, 9C or 9D  that matched the 3 keys used on a
>     PIV card
>     and thus selected one of the v3_reqXX to get the extensions and
>     values set for type of certificate.
>
>     When using certutil each user has their own store. A server
>     certificate would be in some system store,
>     not sure where.
>
>     Do the OpenSC tools show a certificate on the card?
>
>
>     On 10/2/2015 3:23 PM, Matt Campbell wrote:
>     > Hi Douglas,
>     >
>     > Could you provide more details on doing this? Admittedly I'm new to Windows PKI, but when I export the issued certificate from the CA and write it to the card, Windows tells me that it couldn't find
>     > any valid certificates. Could the subject name that I'm using in OpenSSL to make the request be wrong?
>     >
>     > openssl req -config openssl.conf -engine pkcs11 -new -key slot_01 -keyform engine -out req.pem -subj "/CN=<DOMAIN.NAME.FQDN" -text -days 3640
>     >
>     > On Tue, Sep 29, 2015 at 7:28 AM, Douglas E Engert
>     <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     An alternative way to do this until the minidriver can handle
>     writing to a card:
>     >        (1) generate private key on card
>     >        (2) Uses openssl and engine_pkcs11 to generate a
>     certificate request in PEM format
>     >        (3) cut-and-paste request into the AD CA web page to
>     request certificate.
>     >        (4) Save certificate from the CA.
>     >        (5) write the certificate to the card.
>     >
>     >     One of the last tings I did before retiring was to setup a
>     proof-of-concept system to issue
>     >     temporary cards for uses who either are waiting for an
>     official PIV card or forgot their card at home.
>     >
>     >     Steps 1, 2 and 5 were done on a virtual Linux system running
>     under Windows along with other card management steps.
>     >
>     >     3 and 4 were done by an AD admin on Windows 7 and transferred.
>     >     Step 3 also requires an CA template  that added the Windows
>     smartcard login extension.
>     >
>     >     Check if step 2 could be done by the sc-hsm-tool.
>     >
>     >
>     >     On 9/29/2015 3:09 AM, Andreas Schwier wrote:
>     >     > Dear Matt,
>     >     >
>     >     > Windows is right, the minidriver is currently a read-only
>     driver.
>     >     >
>     >     > The minidriver is currently enhanced with EC support and the
>     >     > authentication mechanism have changed. See [1] for details.
>     >     >
>     >     > I suggest you try an older version of OpenSC or track the latest
>     >     > development in the pull request.
>     >     >
>     >     > Would be great if you could supply logs while you test.
>     >     >
>     >     > Andreas
>     >     >
>     >     > [1]https://github.com/OpenSC/OpenSC/pull/566
>     >     >
>     >     > On 09/29/2015 09:58 AM, Matt Campbell wrote:
>     >     >> When I attempt to enroll a user for a smart card login
>     certificate, Windows
>     >     >> tells me that the smart card is read-only[1]. I'm running
>     Windows Server
>     >     >> 2012 R2 and OpenSC 0.15.0g20150914124137 with a
>     Smartcard-HSM card and
>     >     >> Identiv/SCM Microsystems SCR331 card reader. I've
>     initialized it per the
>     >     >> instructions on the GitHub wiki. Any help is appreciated.
>     >     >>
>     >     >> [1]http://i.coreduo.me.uk/U4FuFqe.png
>     >     >>
>     >     >>
>     >     >>
>     >     >>
>     ------------------------------------------------------------------------------
>     >     >>
>     >     >>
>     >     >>
>     >     >> _______________________________________________
>     >     >> Opensc-devel mailing list
>     >     >>[hidden email]
>     <mailto:[hidden email]>
>     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >>https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >     >>
>     >     >
>     >     >
>     >
>     >     --
>     >
>     >        Douglas E. Engert  <[hidden email]
>     <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >
>     >
>     >     ------------------------------------------------------------------------------
>     >     _______________________________________________
>     >     Opensc-devel mailing list
>     >     [hidden email]
>     <mailto:[hidden email]>
>     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >
>     >
>
>     --
>
>       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
>
> --
> --
> Vincent Le Toux
>
> My Smart Logon
> www.mysmartlogon.com <http://www.mysmartlogon.com/>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Douglas E Engert
In reply to this post by Kenneth Benson
Possible, but not very likely, as as there usually is some checks for the ASN.1 encoding of at least the length of the cert.
For PKCS#15 cards, additional information such as subject maybe extracted from the cert and written to separate files.

I suggested trying to read the certificate from the card. I meant using pkcs11-tool, pkcs15-tool or the vendor tool that wrote the certificate.
The issue is Windows (and the minidriver) can not find the certificate.
Using OpenSC on Linux to read the certificate would also help, as well as a OpenSC debug log.



On 10/3/2015 12:01 PM, Kenneth Benson wrote:
> One thing I've noticed from other drivers/programs using certs being put
> on cards is they almost always want it in the der internal format. If
> the cert you put an the card was pem format, it might not be being read
> correctly. A possibility?
>
> Kenneth Benson
>


--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Certificate Services enrollment problems

Douglas E Engert
In reply to this post by Matt Campbell
Going back to this first e-mail:

What GitHub wiki page?

What commands did you use to initialize the card?

If running on a Windows 64 bit machine, did you install both the 64 bit and 32 bit version of OpenSC?

Can you use any of the OpenSC tools: pkcs11-tool or pkcs15-tool  to see if a key was generated, and a cert loaded?
Note for PKCS#11 the ID of the cert, public key (if any) and certificate should be the same.

Can you post the certificate to the mailing list?

Do you have a Linux system to try running OpenSC?


On 9/29/2015 2:58 AM, Matt Campbell wrote:

> When I attempt to enroll a user for a smart card login certificate, Windows tells me that the smart card is read-only[1]. I'm running Windows Server 2012 R2 and OpenSC 0.15.0g20150914124137 with a
> Smartcard-HSM card and Identiv/SCM Microsystems SCR331 card reader. I've initialized it per the instructions on the GitHub wiki. Any help is appreciated.
>
> [1] http://i.coreduo.me.uk/U4FuFqe.png
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel