I use OpenSSL for testing certificate related stuff all the time, while using its test clients as a administrative tool can require contortions sometimes it’s very useful thing to have in my toolbox.
Today I needed to throw together a certificate for Windows smartcard login, a valid Windows Smart Card Login certificate has the following attributes:
- Is issued by an CA that is trusted as an Enterprise CA
- Is issued by a CA that has the “Smartcard Logon” EKU (1.3.6.1.4.1.311.20.2.2)
- Has the “Smartcard Logon” EKU
- Has the “Digital Signature” “Key Usage”
- Has the principal name of the subscriber in the SubjectAltName extension as a UPN (1.3.6.1.4.1.311.20.2.3)
With that background how does one do this in OpenSSL? Well lets focus on the last 3 (3,4,5) as they are about the subscriber certificate.
To create this certificate you would create an OpenSSL section that looks something like this:
[ v3_logon_cert ]
# Typical end-user certificate profile
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = @customerca_aia
subjectAltName = otherName:msUPN;UTF8:[email protected], email:[email protected]
certificatePolicies=ia5org,@rootca_polsect
There are a few other “reference” sections you can find the INF file I used these additions with in my script for testing Qualified Subordination.
Hope this helps you too,
Ryan