I use OpenSSL for testing certificate related stuff all the time, while using its test clients as a administrative tool can require contortions sometimes it’s very useful thing to have in my toolbox.
Today I needed to throw together a certificate for Windows smartcard login, a valid Windows Smart Card Login certificate has the following attributes:
- Is issued by an CA that is trusted as an Enterprise CA
- Is issued by a CA that has the “Smartcard Logon” EKU (126.96.36.199.4.1.3188.8.131.52)
- Has the “Smartcard Logon” EKU
- Has the “Digital Signature” “Key Usage”
- Has the principal name of the subscriber in the SubjectAltName extension as a UPN (184.108.40.206.4.1.3220.127.116.11)
With that background how does one do this in OpenSSL? Well lets focus on the last 3 (3,4,5) as they are about the subscriber certificate.
To create this certificate you would create an OpenSSL section that looks something like this:
[ v3_logon_cert ]
# Typical end-user certificate profile
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = @customerca_aia
There are a few other “reference” sections you can find the INF file I used these additions with in my script for testing Qualified Subordination.
Hope this helps you too,