On 06/06/2011 04:32 PM, Douglas E. Engert wrote: > > > On 6/6/2011 7:19 AM, Martin Paljak wrote: >> >> On Jun 6, 2011, at 15:01 , Viktor Tarasov wrote: >> >>> Le 06/06/2011 11:22, Martin Paljak a écrit : >>>> Hello, >>>> >>>> >>>> Just a quick notice that a section about "certificate compatibility" >>>> seems justified somewhere in documentation. >>> >>> Yes, it would be very useful. >>> I imagine that subtle expert knowledge of the subject is needed, for >>> example when it's going about BaseCSP, minidriver, SmartcardLogon, ... >> Maybe we can re-use the knowledge of EJBCA folks here, maybe their >> documentation even already includes necessary bits and pieces of >> information, I have not checked. Also PKIX docs are useful, but to get >> certificates "right" requires some time and effort. That's why setting up a >> really CA is not the same as running some OpenSSL commands... Root key >> secrecy, policies, certificate profiles etc require a lot of work to get >> right for a setup. >> > > What is in a certificate is not really OpenSC's concern, > but the concern of the CA, and since we are talking login, > and usually to Windows AD the concern of the DC or Kerberos > KDC administrators. > > This is a good starting point: > http://support.microsoft.com/kb/281245 > > Or: > http://blogs.msdn.com/b/shivaram/ > > Google for: AD smartcard login > > Under the covers, AD is using the Kerberos PKINIT protocol, > so much of this applies to Linux with pam_krb5 to AD or > to a MIT or Heimdal KDC, and krb5.conf has many parameters > used by the PKINIT code. > > Google for: pam_krb5 PKINIT >
Yes, smart card logon for windows is a true PITA, mostly due to bad logging and debug options in windows. Who knows what "error 4711" means? Anyhow we, the EJBCA folks, have once in a time documented in detail how to get it working with EJBCA, including certificate profiles for the CA, Domain Controller and user. See http://ejbca.org/howto.html#Microsoft%20smart%20card%20logon This setup is known to work well with Windows 2003/XP/... Still untested on Win 2008 to my knowledge. In general the user cert is described in point 5 in the first link that Douglas sent. We try to stay away from it as much as possible, and rely on the guys who work with smart card login on a daily basis, such as Aventra folks. The real trouble, for us, is that things really seem to change often, SP2 works in one way and SP3 on another. A small Windows patch and everything stops working. So if you tell a customer you can implement it for them you really have to stay on top of (windows) things continuously, something that requires quite a bit of work. Having something in the wiki describing certificate requirements for different platforms is, I agree, not opensc's concern. But still a great service to the community and an easy solver for support email on the list. MS's documentation is, imho, very poor in this respect. But that is not their goal, and I don't think it's in their interest to make it easy to use for "do it yourself'ers". Cheers, Tomas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
