Page 1 of 1

GIDS APP - Windows 10 smart card login

Posted: Tue Sep 04, 2018 6:17 pm
by cdorde
I install cap file to JCOP242R3 card and personalize certificates to card. I used OpenSC-0.18.0-win64_vs12-Release.msi and in command prompt I issue commands:

gids-tool.exe -X --pin 1234 --serial-number 00000000000000000000000000000000

and after

pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx

and everything passes ok.

Certutil -scInfo command works as expected. I can sign Word document.

But, what I can not do is use this card for windows smart card logon. Private key are from another card which works for smart card logon. Error message is "No valid certificates were found on this smart card".

My question: GidsApp applet installed on card can be used for windows smart card logon (Active Directory) or not?

Re: GIDS APP - Windows 10 smart card login

Posted: Wed Sep 05, 2018 9:49 am
by cdorde
Just to answer to myself:

GIDS applet CAN be used for Active Directory based smart card login.

My mistake was that personalisation of pfx file to card must contain key-usage directice. As stated in windows documentation key used for smart card login must be of type AT_KEYEXCHANGE. Because, I use OpenSC gids-tool.exe for personalisation of keys to card command must look like:

pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx --key-usage=decrypt

"decrypt" is in OpenSC world same as AT_KEYEXCHANGE in Microsoft world.

I can use same key for signing in Word.

I hope that this explanatation will help somebody else ...

Re: GIDS APP - Windows 10 smart card login

Posted: Fri Jan 04, 2019 6:59 am
by vletoux
You can manually add any kind of RSA certificate to an Active Directory.
Operation which is called "explicit mapping" (at the oposition of "UPN mapping")

You have to alter the policy of the computer having access the smart card to show the certificate.
Then associate the certificate to the user account using a special attribute.

Procedure is described here:
http://download.mysmartlogon.com/SmartP ... cation.pdf