GIDS APP - Windows 10 smart card login
Moderator: product
GIDS APP - Windows 10 smart card login
I install cap file to JCOP242R3 card and personalize certificates to card. I used OpenSC-0.18.0-win64_vs12-Release.msi and in command prompt I issue commands:
gids-tool.exe -X --pin 1234 --serial-number 00000000000000000000000000000000
and after
pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx
and everything passes ok.
Certutil -scInfo command works as expected. I can sign Word document.
But, what I can not do is use this card for windows smart card logon. Private key are from another card which works for smart card logon. Error message is "No valid certificates were found on this smart card".
My question: GidsApp applet installed on card can be used for windows smart card logon (Active Directory) or not?
gids-tool.exe -X --pin 1234 --serial-number 00000000000000000000000000000000
and after
pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx
and everything passes ok.
Certutil -scInfo command works as expected. I can sign Word document.
But, what I can not do is use this card for windows smart card logon. Private key are from another card which works for smart card logon. Error message is "No valid certificates were found on this smart card".
My question: GidsApp applet installed on card can be used for windows smart card logon (Active Directory) or not?
Last edited by cdorde on Fri Sep 07, 2018 4:31 am, edited 1 time in total.
Re: GIDS APP - Windows 10 smart card login
Just to answer to myself:
GIDS applet CAN be used for Active Directory based smart card login.
My mistake was that personalisation of pfx file to card must contain key-usage directice. As stated in windows documentation key used for smart card login must be of type AT_KEYEXCHANGE. Because, I use OpenSC gids-tool.exe for personalisation of keys to card command must look like:
pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx --key-usage=decrypt
"decrypt" is in OpenSC world same as AT_KEYEXCHANGE in Microsoft world.
I can use same key for signing in Word.
I hope that this explanatation will help somebody else ...
GIDS applet CAN be used for Active Directory based smart card login.
My mistake was that personalisation of pfx file to card must contain key-usage directice. As stated in windows documentation key used for smart card login must be of type AT_KEYEXCHANGE. Because, I use OpenSC gids-tool.exe for personalisation of keys to card command must look like:
pkcs15-init --auth-id 80 --pin 1234 --verify-pin -f PKCS12 --passphrase password -S private_cert.pfx --key-usage=decrypt
"decrypt" is in OpenSC world same as AT_KEYEXCHANGE in Microsoft world.
I can use same key for signing in Word.
I hope that this explanatation will help somebody else ...
Re: GIDS APP - Windows 10 smart card login
You can manually add any kind of RSA certificate to an Active Directory.
Operation which is called "explicit mapping" (at the oposition of "UPN mapping")
You have to alter the policy of the computer having access the smart card to show the certificate.
Then associate the certificate to the user account using a special attribute.
Procedure is described here:
http://download.mysmartlogon.com/SmartP ... cation.pdf
Operation which is called "explicit mapping" (at the oposition of "UPN mapping")
You have to alter the policy of the computer having access the smart card to show the certificate.
Then associate the certificate to the user account using a special attribute.
Procedure is described here:
http://download.mysmartlogon.com/SmartP ... cation.pdf
Who is online
Users browsing this forum: No registered users and 5 guests