Dave W
Guest
|
 Posted:
Tue Jan 18, 2005 2:55 am Post subject:
Smart Card Web Enrolment Problem |
|
|
I wish to issue a client authentication certificate onto a smart card for
EAP-TLS VPN authentication purposes.
I have created a certificate template (using Authenticated Session as a
base) and specified the appropriate smart card CSP - I have deliberately
chosen a template that does not include the smart card logon key usage right.
However, this certificate template (once published to the CA) is not
available via the web enrolment page - if I add the smartcard logon key usage
it does appear. Appropriate ACLs are set on the template.
I don't want to include the smart card logon usage as this won't be used, I
anticipate a further requirement to issue email signing and encyrption
certificates onto a smart card in the future and I don't think that it is
very elegant to include the smart card logon usage role in each certificate
template.
I am guessing that the web enrolment page is somewhere restricting the list
of templates that are presented, but I would like to know if this can be
relaxed. Does anyone have any information on how this can be configured?
I am using Win2K3 CA and using XP with IE 6.
Regards,
Dave |
|
Steven L Umbach
Guest
|
| Posted:
Sun Jan 23, 2005 2:37 am Post subject:
Re: Smart Card Web Enrolment Problem |
|
|
From what I understand if you are not using smart card logon for the VPN
then the user certificate will be expected to be in the user store on the
computer anyway. However what you could try is to make a copy of the smart
card logon template and in extensions - application policies remove smart
card logon and leave client authentication. --- Steve
"Dave W" <DaveW@discussions.microsoft.com> wrote in message
news:1A83195F-F214-402D-A685-E1CC5150EF66@microsoft.com...
| Quote: | I wish to issue a client authentication certificate onto a smart card for
EAP-TLS VPN authentication purposes.
I have created a certificate template (using Authenticated Session as a
base) and specified the appropriate smart card CSP - I have deliberately
chosen a template that does not include the smart card logon key usage
right.
However, this certificate template (once published to the CA) is not
available via the web enrolment page - if I add the smartcard logon key
usage
it does appear. Appropriate ACLs are set on the template.
I don't want to include the smart card logon usage as this won't be used,
I
anticipate a further requirement to issue email signing and encyrption
certificates onto a smart card in the future and I don't think that it is
very elegant to include the smart card logon usage role in each
certificate
template.
I am guessing that the web enrolment page is somewhere restricting the
list
of templates that are presented, but I would like to know if this can be
relaxed. Does anyone have any information on how this can be configured?
I am using Win2K3 CA and using XP with IE 6.
Regards,
Dave |
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in