Martin Leung wrote:
>
> Hi Marat,
>
> I have signed a Win2K subordinate CA cert with openssl (v0.9.6)
> as root CA. The following extensions are used:
>
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always
> basicConstraints = critical,CA:true,pathlen:0
> keyUsage = critical, cRLSign, keyCertSign
> nsCertType = sslCA, emailCA
> crlDistributionPoints=URI:https://host_stored_crls/root.crl
>
> The Win2K sub-CA cert can then be used to issue certs for AD
> users and computers. SSL auth with those end-user certs is fine
> but smartcard logon doesn't work (OK if the root CA is Win2K CA).
>
If you try the latest snapshot you should be able to add unsuppported
extensions that appear in the certificate request, that may help with
smartcard logon.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
