Automatic Smart Card Certificate Renewal

Similar Messages

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Importing smart card certificates

  Has anyone run into any issues similar, where you cannot import the smart card certificates into the BlackBerry?
  Users have T-Mobile 8700g and the RIM Bluetooth smart card reader.
  We are able to pair the BB and the Reader.
  But we are stuck at the point where we import the user's smart card certificates.  This is affecting multiple users.  Users who have already imported their smart card certificates are working fine.
  The error displayed on the BlackBerry is "Error communicating with the smart card".
  The display on the reader is either "On C" (v1.0 reader drivers/software) or "On I" (v1.5.1 reader drivers/software).
  We have tried wiping both the handheld and the reader and starting from scratch.  S/MIME and reader drivers are installed on the BlackBerry.
  We have tried using OS 4.1 and 4.2 on the 8700s.  As well as reader drivers/software v1.0 and 1.5.1.
  We have tested using different IT Policies, including completely unrestricted.
  Not sure if this problem is specific to this model.

  There's a new CAC version out. (144k).  Does anyone knows if there is a hotfix for the new version?  We are having problems getting the reader to recognize the new CAC.    When we try to sign a message on the blackberry, we keep getting the error message "Error Communicating with the Smart Card".  We searched on Google and we found this hotfix and installed. It didn't work. I assume it was for CAC 72k and not 144k.
  Below is what we're running
  Device:  Blackberry Bold 9000
  Applications:
   Blackberry v4.6
   Blackberry Smart Card Reader v4.2
  Any assistance will be appreciated.  Thank you.
  VV

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Windows 7 Smart Card Logon

  Hi,
  Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
  Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
  Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
  Both the smart card service and the certificate propogation service are running...
  Regards,
  Mylo

  Stigh,
  OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
  "I actually disagree."
  I can see you're healthy motivated to fix the problem.. which is good :-)
  "As long as there is a EKU in the certificate, it should work for local logon."
  Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
  "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
  In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
  "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
  The Gemalto drivers from Windows 7 RTM worked ok for me.
  "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
  OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
  "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
  I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
  On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
  Good luck and post back if you want to discuss further!
  Regards,
  Mylo

• UAG smart card authentication plus kcdauthentication true

  Hi
  I have already setup smart card certificate authentication to UAG portal. I'm using certificate's field Subject Alternative Name and RFC822 Name to read UPN information. It says 'RFC822
  Name=[email protected]'. That information i'm comparing to AD account's mail attribute. Authentication works ok.
  In Active Directory, samaccount is created from UPN's first part: firstname.lastname. So far i have been able to use kcdauthentication and create valid kerberos ticket which is acceptable for delegation.
  Customer changed their samaccoun to a different form. KCD does not work anymore. I've tried to use regkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KCDUseUPN,1. It does not work.
  I have no idea how to change from inc files that do not use samaccount but instead us UPN. UPN matches mail.
  Any ideas ?
  thanks in advance :)
  br -teemu

  Below Article might not give you direct answer.
  But, you may get an excellent idea on how to play around with INC files for your scenario.
  http://social.technet.microsoft.com/wiki/contents/articles/17031.how-to-get-client-certificate-authentication-working-on-a-uag-2010-portal.aspx
  Please let us know, how it goes. :)

• Windows smart card logon and kdc certificate (2008R2)

  dear, 
  we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
  Domain controller - windows server 2008 R2
  CA - windows server 2008 R2
  testing server - windows server 2008 R2
  when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
  card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
  The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
  when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
  logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
  There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
  We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx；http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
  the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there. 
  How could we resolve this problem? Thanks in advance 
  The output of "certutil -dcinfo verify" is :
  0: CTXDC
  *** Testing DC[0]: CTXDC
  **  Enterprise Root Certificates for DC CTXDC 
  Certificate 0:
  Serial Number: 781902753c5627b64bd4e45c38b648df
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/11 11:57
   NotAfter: 2018/4/11 12:07
  Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  Certificate Template Name: CA
  CA Version: V0.0
  Signature matches Public Key
  Root Certificate: Subject matches Issuer
  Template: CA, Root Certification Authority
  Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
  **  KDC certificate for DC
  CTXDC 
  certificate 0:
  Serial Number: 611648d2000000000030
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/21 12:05
   NotAfter: 2014/4/21 12:05
  Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
  Certificate Template Name: DomainController
  Non-root Certificate
  template: DomainController, domain controller
  Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  Application[0] = 1.3.6.1.5.5.7.3.1
  Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2
  Client Authentication
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/21 12:05
    NotAfter: 2014/4/21 12:05
    Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
    Serial: 611648d2000000000030
    SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
    Template: DomainController
    e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 54:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
      Delta CRL 55:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
    Application[0] = 1.3.6.1.5.5.7.3.2
  Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1
  Client Authentication
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/11 11:57
    NotAfter: 2018/4/11 12:07
    Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    Serial: 781902753c5627b64bd4e45c38b648df
    Template: CA
    24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Exclude leaf cert:
    33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
  Full chain:
    04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.5.5.7.3.2
  Server Authentication
      1.3.6.1.5.5.7.3.1
  Client Authentication
  1 KDC certs for CTXDC
  CertUtil: -DCInfo command completed successfully.

  The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
  I you do not use smartcards, do not worry.

• KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...

  I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain.  None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
  The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

  Hi,
  I have checked the file. Here is my findings:
  1.    The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
  2.    The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
  *** Testing DC[0]: MADRONE
  ** KDC Certificates for DC MADRONE
  Certificate 0:  -à Valid
  Serial Number: 116bbdd90000000000b6
  Issuer: ***
  NotBefore: 12/15/2008 2:28 AM
  NotAfter: 12/15/2009 2:28 AM
  Subject: CN=madrone.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Certificate 1:   --à Expired
  Serial Number: 15c2f00b000000000028
  Issuer: ****
  NotBefore: 3/9/2007 3:05 PM
  NotAfter: 3/8/2008 3:05 PM
  Subject: EMPTY (DNS Name=madrone.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  *** Testing DC[1]: BUCKEYE
  ** KDC Certificates for DC BUCKEYE
  Certificate 0:  -à Expired
  Serial Number: 15c4ddc2000000000029
  Issuer: *****
  NotBefore: 3/9/2007 3:07 PM
  NotAfter: 3/8/2008 3:07 PM
  Subject: EMPTY (DNS Name=buckeye.****)
  Non-root Certificate
  Template: DomainControllerAuthentication, Domain Controller Authentication
  Certificate 1: -à Valid
  Serial Number: 115f34ec0000000000b4
  Issuer: ****
  NotBefore: 12/15/2008 2:15 AM
  NotAfter: 12/15/2009 2:15 AM
  Subject: CN=buckeye.****
  Certificate Template Name (Certificate Type): DomainController
  Non-root Certificate
  Template: DomainController, Domain Controller
  Suggestion:
  1.    Please delete the expired certificate and then reboot the domain controller and test the issue again.
  2.    If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result.

• Problem signing certificates from external token (smart card)

  I can not sign PDF documents with an external token (smart card) through a card reader of a Cherry keyboard.
  The card drivers perfectly detect the card and certificates in it, however when trying to sign a certificate in Adobe and select the location of the certificate click in the option "A device attached to this computer" ... I get an error indicating that no device is connected to the computer appears.
  I have tried several different card readers, it seems a problem of drives because the middleware card recognizes all tested certificates readers, however it seems that Adobe is not able to find the card reader. It has happened with several teams. In one team made a clone and deploy it to another machine with the same hardware environment, the firm run properly in the pdf that clone, however on the original computer is not working.
  You have any idea what could be the problem? Thank you very much in advance.

  If the digital ID's corresponding public-key certificate is not getting added to either the Windows Certificate Store, or Mac Keychain Access when you plug the card into the card reader, then you need to load the PKCS#11 module via the Acrobat UI. The module will be a DLL on Windows or a bundle file on the Mac. The problem is there is no one file name to look for, you would need to consult the hardware's documentation to find the name of the file. Once you know the name you can add the P11 module from the Security Settings dialog and then Acrobat will then see the digital ID(s) loaded on the smart card.
  Steve

• Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

  Hello everyone
  today I am working on a mounted on a Red Hat Enterprise PKI
  Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
  Card to make the login of users on computers.
  On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
  Greetings and I hope for you response.
  TechCach

  > It is for Windows 2012.
  nothing changed since Windows Server 2003. Here is a KB article:
  http://support2.microsoft.com/kb/281245
  > Is
  the
  scenario
  supported
  by
  microsoft?
  yes, of course. See KB article above.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Connect smart card reader over usb and access digital signature certificate

  Hi,
  I got digital signature certificate stored in a smart card.I places smart card into card reader and plugged usb port of server.
  I can see card reader in windows environment.My problem is to connect card reader and access digital signature certificate using java code.
  I thinh it needs javax.smartcardio but i did not find necessary jar file for jdk 1.5.xx.
  1- Where can i download jar fiel for javax.smartcardio for jdk 1.5.xx
  2- Is there a blog or forum thread to help me to use smart card over usb?
  Thanks.

  One of the beauty of Java is that when the Java VM does not let you do something (here: accessing a Smart Card), there is no way that a purely Java solution will add this functionality.
  Hence, what you ask simply can not be done in pure Java (1.)5. Some machine-specific non-java code is required. And you did not specify your target.
  Unless a jar file could contain machine-specific code (I don't know if this is the case, and I never made one such jar file), there seems to be no way a jar file could help.

• PKI Certificates on smart cards.

  Hi techies,
  I am a Smart card operating system developer.
  I m working on a PKI OS project.
  and i m stuck while implementing the verify certificate command.
  Well currently the issue i m facing is how to store certificates on smart card.
  i mean which file to use, which format to use, (may be x.509), which document is relevent for implementation point of view.
  could anybody help me out.
  Regards,
  Rishabh Agarwal

  Hi Polat,
  thanks for reply as i thought i wont have any reply.
  well I am talking about a native card not a java card but i think it doesnt make any diffrence as at application level both are same. (diffrent at implementation level not application level)
  so here i got some clue after searching meterial and brainstorming... we need to read following documents
  1) PKCS#1 v2.1
  2) PKCS#15
  3) PKCS#7 (may be, as i havent gone through it yet)
  I am almost ready with my OS for native card and have tested some its features except related to certificate...
  Now i want to test it with some CSP application i dont know how will it go... i m trying to get some demo CSP code in which i can change and test my card by integrating it to some windows aplications.
  if you have any clue about abovementioned then pls let me know..
  and please ask if you need any help from my side
  Regards
  Rishabh Agarwal

• Certificates and smart cards

  Is it possible to store a certificate on a smart card using Java card technology? All I want to do is write the bytes to the card and read the bytes from it. I don't want anything per sey to execute on the card. Is this possible?

  Yes, you can operate any javacard like normal smart card. That means you don't identify javacard from its aspect at all because javacard transmit/accept APDU/response as same as non-javacard.
  No doubt to contact me if you have any question: [email protected]
  Chen Song
  P.R.China