Making a Windows smartcard login certificate with OpenSSL.

I use OpenSSL for testing certificate related stuff all the time, while using its test clients as a administrative tool can require contortions sometimes it’s very useful thing to have in my toolbox.

Today I needed to throw together a certificate for Windows smartcard login, a valid Windows Smart Card Login certificate has the following attributes:

  1. Is issued by an CA that is trusted as an Enterprise CA
  2. Is issued by a CA that has the “Smartcard Logon” EKU (
  3. Has the “Smartcard Logon” EKU
  4. Has the “Digital Signature” “Key Usage”
  5. Has the principal name of the subscriber in the SubjectAltName extension as a UPN (

With that background how does one do this in OpenSSL? Well lets focus on the last 3 (3,4,5) as they are about the subscriber certificate.

To create this certificate you would create an OpenSSL section that looks something like this:

[ v3_logon_cert ]

# Typical end-user certificate profile


keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin

basicConstraints = critical, CA:FALSE


subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer


authorityInfoAccess = @customerca_aia


subjectAltName = otherName:msUPN;UTF8:[email protected], email:[email protected]



There are a few other “reference” sections you can find the INF file I used these additions with in my script for testing Qualified Subordination.

Hope this helps you too,


4 thoughts on “Making a Windows smartcard login certificate with OpenSSL.

  1. rmhrisk Post author

    From Erwann :

    For more clarity, I’d replace the “” by “msSmartcardLogin” in the extendedKeyUsage list, and the “” by “msUPN” in the subjectAltName declaration.

    I also usually write the subjectAltName like this:
    subjectAltName = otherName:msUPN;UTF8:$ENV::UPN, email:$ENV::UPN

    Before calling the certificate creation script, just add an environment variable named UPN.
    The main drawback I found is that when the config file is loaded, even if the section containing the extension isn’t used (v3_logon_cert here), the $ENV::UPN is evaluated and must not fail, therefore the UPN environment variable MUST exist (just set a dummy value).

  2. rmhrisk Post author

    Based on Erwann’s comment Iused the two variables vs using the explicit OIDs I did not know OpenSSL had these configured. I did not include the $ENV approach as my script isnt doing this uniformly at this time.

  3. Gabi


    I want to create a self signed certificate with openssl and contain the principal name(

    Using the steps from here it fails to accept the certificate on my apache server. It fail with
    Certificate Verification: Error (18): self signed certificate
    SL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

    Any suggestions?


Leave a Reply

Your email address will not be published. Required fields are marked *