This document provides detailed instructions for configuring Certificate Server 4.7 to generate certificates that can be used for SmartCard login in a Windows 2000 environment.
Enabling this feature in Certificate Server 4.7 is a three-part process.
This document provides information resources for Part 1, detailed instructions for Part 2, and some general notes for Part 3.
For detailed instructions, see the following documents on the Microsoft website:
In this part, you configure a number of policies for the Smart Card and the Domain Controller certificates.
Once you've set up the Windows 2000 environment and configured Certificate Server to work with it, you can begin issuing certificates. It's likely, however, that you'll want to customize your certificate enrollment forms to better suit your own requirements.
Part 3 is intended to illustrate how certificate issuance for a Windows 2000 environment works with minimal modifications. The notes included here are presented as sample instructions, a starting point from which you can begin to identify your own customization needs and develop custom solutions.
Certificate Server 4.7 provides two sample enrollment forms. One is for the Smart Card Certificate and one is for the Domain Controller Certificate. Both are stored in the following directory:
<CMS_Root>/<CMS_Instance>/web/ee.
In the sample Domain Controller Enrollment form, the value of GUID must be entered. For demonstration purposes, we assume the GUID of the Domain Controller is fb4cdafc-2e1d-4151-a958-b20bfb9e5890. For more information on this value is derived, see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224544.
$ GenAsn1 -o 1.3.6.1.4.1.311.25.1 -t Octet FC:DA:4C:FB:1D:2E:51:41:A9:58:B2:0B:FB:9E:58:90
BgkrBgEEAYI3GQGgEgQQ/NpM+x0uUUGpWLIL+55YkA==
The User's Principal Name (UPN) field in the Smart Card Certificate Enrollment form accepts an ASN1 string. This string can be generated with the command GenAsn1 as above.
Assume the UPN value for the user of the Smart Card Certificate is user1@sun.com. You can generate the ASN1 string as follows:
Note: The UPN used here, user1@sun.com, must be the Windows logon user ID within that Active Directory domain. And its data type in ASN1 is a UTF8String.
After the certificates are issued, use Internet Explorer to view the extension of SubjectAltName in the Smart Card Certificate and in the extensions of SubjectAltName and Certificate Template Name in Domain Controller Certificate. They should show up in clear text, not in hexadecimal or ASCII raw data.
Originally only ASN1 sequence was supported for otherName type in Subject Alt Name extension. In CMS4.7, we support another ASN1 string without the leading character of 0x30, which is mainly for Windows 2000 support, and ASCII string. To specify the differnet types in the HTML form, a hidden variable of "xxx-DataType" is added, where "xxx" is the parameter being used in the extension. The 3 possible values for the data type are
Last Updated August 09, 2002