Hi Martin, actually from the CA standpoint having the certificates on a smartcard, on a file or on any other media is the same. Indeed when the users make a request, there is no way for the RA/CA to know if the key has been generated on a token or on a software interface.
This could be a problem if you rely on the fact that the users should use only the Smart Cards. A solution is to require the users to make the requests at the RA site (in person showing that they are using a smart card) or you can generate the key and make the request for them. The second option takes more time on your part, of course. So - on the CA you do not have to do anything to support smart-cards. On the client side things can get a bit complicated because smart-cards are not standardized in their internal format. Some projects - like OpenSC - use a PKCS#15 format, but not all vendors do that. More important, make sure that the drivers that are shipped are available for all of the OSes that you want to support on the client side. I hope this clarifies the smart-cards/usb-tokens (usb-tokens usually are exactly the same as smart-cards, the advantage is that they use USB which is present on all the `modern` computers, while for SC you probably need a reader for each client computer...). For the certificate profile, it depends on what you need. For normal web- authentication standard profiles will work. If you use the SC for different purposes (e.g., Win login) you have to add specific extensions to the profile of the certificate (check with the Microsoft support for the latest changes in the needed certificate profile - also look at the User.ext.template file - there are some suggestions on how to configure the smarcardlogin in the extendedKeyUsage). Later, Max Martin Bley wrote:
Hello List, I'm just getting started implementing a PKI for the first time. It should provide an infrastructure to issue Certificates for Client-Authenticationagainst an IIS Webserver. The Cert should be hold by SmartCards. To accomplish this, I've installed one offline-node holding the CA and an online-node holding the RA and Pub interface.Which tool, template or extension I may use, to create SmartCard capable certificate request on the public interface? The second question is, how - once the certificates has been signed by the ca - I may put those on the smartcard? Thanks for any suggestion - I really stand in the woods regarding this issueMartin
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
