none
Third-Party Certificate on Windows 2008 AD CS

    Question

  • The main propose is to let Smart Card Log-on works on my personal certificate ( Very Sign CA).  This is what i have tried.

    1. Install AD CS

    2. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:546189884; mso-list-type:hybrid; mso-list-template-ids:1531850944 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level2 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> Add the third-party root CA to the trusted roots in an Active Directory Group Policy object. (281245)

    3. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:NL; mso-fareast-language:NL;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:546189884; mso-list-type:hybrid; mso-list-template-ids:1531850944 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} @list l0:level2 {mso-level-number-format:alpha-lower; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> Add the third-party issuing the CA to the NTAuth store in Active Directory.

    At step 3 i have imported 3 certificate ( whole cert chain)

    What did it go wrong?

    Why do i need objectGUID for?

    Wednesday, June 23, 2010 8:32 AM

Answers

  • On Fri, 25 Jun 2010 11:20:17 +0000, Jordan Ly wrote:

    I dont understand how the enrollment proces work on Third Party CA.

    This has nothing to do with the enrollment process for a 3rd party CA.


    As i told you i have VerySign personal certificate. It is use for secure Web. But with this certificate i also want to put it on my smartCard for windows Login.

    Certificates have purposes, and they can only be used for the purposes that
    are included in the certificate. You simply cannot use a "secure web"
    certificate for Windows logon.


    Did i have to create new Third Party Root CA? getting the GUID from my AD DS certificate and give this to Verysign?

    No, you really don't understand how certificates work. You can check with
    Verisign but they're not likely going to issue you a smartcard logon
    certificate.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Friday, June 25, 2010 12:02 PM

All replies

  • The main propose is to let Smart Card Log-on works on my personal certificate ( Very Sign CA).  This is what i have tried.

    1. Install AD CS

    2. Add the third-party root CA to the trusted roots in an AD Group Policy object (281245)

    3. Add the third-party issuing the CA to the NTAuth store in Active Directory.

     

    At step 3 i have imported 3 certificate ( whole cert chain)

    What did it go wrong?

    Why do i need objectGUID for?
    Wednesday, June 23, 2010 8:37 AM
  • Hi,

    the requirements for smart card logon using 3rd party CAs are specified here http://support.microsoft.com/kb/281245 Do you fulfill them all?

    Regards

    Martin

    Wednesday, June 23, 2010 10:33 AM
  • Hi Martin,

    Thanks for your reply. I have read article 281245 you send me.

    What i don't understand is step 5. Did I have to modify something ?

    Regards,

     

    Jordan

    Wednesday, June 23, 2010 11:08 AM
  • Well in order to use smart card logon in windows domain you will need two types of certificates

    1) certificates for the clients (these certificates are stored on smart cards)
    2) certificates for domain controllers

    The KB article specifies requirements on domain controller certificates as well as on user certificates. Step 5 describes the requirements that needs to be met for the client certificates.

    Do you use a specific Verisign service, or are you trying to use generic e-mail Verisign certificates (for example http://www.verisign.com/authentication/digital-id/index.html) for smart card logon? Also can you be more specific on what you do not understand in these requirements?

    Regards

    Martin

    Wednesday, June 23, 2010 12:25 PM
  • Hi Martin,

    I dont understand how the enrollment proces work on Third Party CA.

    As i told you i have VerySign personal certificate. It is use for secure Web. But with this certificate i also want to put it on my smartCard for windows Login.

    Did i have to create new Third Party Root CA? getting the GUID from my AD DS certificate and give this to Verysign?

     

    Regards,

    Jordan

    Friday, June 25, 2010 11:20 AM
  • On Fri, 25 Jun 2010 11:20:17 +0000, Jordan Ly wrote:

    I dont understand how the enrollment proces work on Third Party CA.

    This has nothing to do with the enrollment process for a 3rd party CA.


    As i told you i have VerySign personal certificate. It is use for secure Web. But with this certificate i also want to put it on my smartCard for windows Login.

    Certificates have purposes, and they can only be used for the purposes that
    are included in the certificate. You simply cannot use a "secure web"
    certificate for Windows logon.


    Did i have to create new Third Party Root CA? getting the GUID from my AD DS certificate and give this to Verysign?

    No, you really don't understand how certificates work. You can check with
    Verisign but they're not likely going to issue you a smartcard logon
    certificate.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Friday, June 25, 2010 12:02 PM
  • Hi Paul Adare,

     

    Thanks for you email.

    Is there a solution to solve this? We Are TTP and can issue certificate.

     

    regards

    Jordan

    Friday, June 25, 2010 12:37 PM
  • On Fri, 25 Jun 2010 12:37:09 +0000, Jordan Ly wrote:

    Hi Paul Adare,

    ?

    Thanks for you email.

    Is there a solution to solve this? We Are TTP and can issue certificate.

    Sorry but I have no idea what TTP means. If you have your own AD CS
    deployment you can certainly issue your own smartcard logon certificates.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Friday, June 25, 2010 12:53 PM
  • Hi Paul,

     

    The problem is, i want to use my own certificate for smartcard Logon.

    If i use microsoft certificate then it generate new certificate. The problem i dont know how to make the link between user account to own certificate.

     

     

    Monday, June 28, 2010 7:08 AM
  • On Mon, 28 Jun 2010 07:08:22 +0000, Jordan Ly wrote:

    The problem is, i want to use my own certificate for smartcard Logon.

    If i use microsoft certificate then it generate new certificate. The problem i dont know how to make the link between user account to own certificate.

    I'm not sure if I understand what you're trying to do here. If you're
    trying to use the certificate that you got from Verisign for smart card
    logon then that simply isn't going to work for the reasons I've already
    described to you.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, June 28, 2010 7:15 AM
  • Hello Paul,

    As you said before, the certificate must have purposes(s). So i am looking at my Personal Certificate and this is what i see: All application policies

    What does this mean for windows logon with SmcartCard?

     

    Greets, Quyen

     

    Monday, June 28, 2010 10:02 AM
  • On Mon, 28 Jun 2010 10:02:08 +0000, Jordan Ly wrote:

    As you said before, the certificate must have purposes(s). So i am looking at my Personal Certificate and this is what i see: All application policies

    What does this mean for windows logon with SmcartCard?

    So you're saying that the certificate you were issued by Verisign to you
    personally shows All Application policies? I think we've got a
    communication issue here.
    Can you export the certificate (don't export the private key) to a file and
    then run:

    certutil -dump filename.cer

    and then post the output?


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, June 28, 2010 11:26 AM
  • Hi Paul,

     

    For smartcard logon with Third party CA i need to have atribute in my personal certificate like Enhanced Key Usage.

    So for my situation it will never work.

    I am trying to get new certificate with the enchanced key ussage atribute.

    Thanks for you help.

     

     

     

    Tuesday, June 29, 2010 3:01 PM
  • Hi Paul,

     

    There is also a solution how to use smartcard logon without EKU atributes:

    http://blogs.msdn.com/b/spatdsg/archive/2008/04/17/smartcard-in-2008-and-vista.aspx

     

    Monday, July 05, 2010 12:44 PM