PKI Certificates on smart cards.

Similar Messages

• Certificates and smart cards

  Is it possible to store a certificate on a smart card using Java card technology? All I want to do is write the bytes to the card and read the bytes from it. I don't want anything per sey to execute on the card. Is this possible?

  Yes, you can operate any javacard like normal smart card. That means you don't identify javacard from its aspect at all because javacard transmit/accept APDU/response as same as non-javacard.
  No doubt to contact me if you have any question: [email protected]
  Chen Song
  P.R.China

• Problem Signing Email with Digital Certificate from Smart Card, Outlook 2013

  Hi there, I'm the IT guy for a small company.  I've configured several people in the company to use their smart cards for email signing through Outlook 2013, but a a few computers are giving me this error:
  "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address '<e-mail address>'. Either get a new digital ID to use with this account, or use the Accounts button to
  send the message using an account that you have certificates for."
  I've been in the Trust Center, I see the signing and encrypting certificates. (SHA-1 and 3DES).  Yet when I try to sign, Outlook always fails on the error.
  For my computer, I was able to fix this by adding a "SupressNameChecks" DWORD set to 1 in the Registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook.  However, this fix is not working for the other people in the company.
  Any other ideas?  Really pulling my hair out on this one, I've tried everything I could find on the net it seems.

  Hi,
  Please checked “E-mail name” under the section ‘Include this information in alternate subject name” on the Subject Name tab of the certificate template.
  We can export the entrust managed services root CA cert from a working machine and import into the trusted root store of a non-working machine. For detailed steps about it, please refer to:
  How To Import and Export Certificates So That You Can Use S/MIME in Outlook Web Access on Multiple Computers
  http://support.microsoft.com/kb/823503/en-us
  Hope it helps.
  Regards,
  Winnie Liang
  TechNet Community Support

• Problem in accessing 2 certificates in smart card using Sun PKCS11 Provider

  I have stored 2 certificates in iKey. To acess and use them in Java I am using Sun PKCS11 Provider.
  The program is .
  1. The keyStore.aliases() is returning 1 alias only(instead of 2).
  2. Throwing following error when accessing the private key using
  code: PrivateKey pvt = keyStore.getKey(alias, null);
  Error Message Detail:
  "KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0x00"
  at Sun .. P11KeyStore.getTokenObject(P11KeyStore.java:2135)
  at ...P11KeyStore.engineGetKey(P11KeyStore.java:292

  Did you look at this, Does it help you, Since no one has answered all day, and I will assume you searched for that error first, perhaps you could provide some more detail?
  http://forum.java.sun.com/thread.jspa?threadID=5195275&tstart=15
  Message was edited by:
  mdares

• Smart card logon with third party CA combined with ADFS to Office 365

  Greetings,
  I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by
  3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to
  workstations with smart cards.
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is
  not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  Best regards, and thanks in advance
  Timo

  On Fri, 25 Apr 2014 09:27:05 +0000, Timo Kallioniemi wrote:
  Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD
  is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD. 
  Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
  This is not a general Windows server security issue. You should post your
  question in an O365 support forum.
  http://community.office365.com/en-us/f/default.aspx
  Paul Adare - FIM CM MVP
  Technology is dominated by two types of people: Those who understand
  what they do not manage. Those who manage what they do not understand.
  -- Putt's Law

• Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

  Hello everyone
  today I am working on a mounted on a Red Hat Enterprise PKI
  Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
  Card to make the login of users on computers.
  On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
  Greetings and I hope for you response.
  TechCach

  > It is for Windows 2012.
  nothing changed since Windows Server 2003. Here is a KB article:
  http://support2.microsoft.com/kb/281245
  > Is
  the
  scenario
  supported
  by
  microsoft?
  yes, of course. See KB article above.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a reso

  Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a resolution. Any help would be appreciated.
  Sorry for the long title, first time poster here.

  This thread is pretty old, are you still having this issue?

• Problem signing certificates from external token (smart card)

  I can not sign PDF documents with an external token (smart card) through a card reader of a Cherry keyboard.
  The card drivers perfectly detect the card and certificates in it, however when trying to sign a certificate in Adobe and select the location of the certificate click in the option "A device attached to this computer" ... I get an error indicating that no device is connected to the computer appears.
  I have tried several different card readers, it seems a problem of drives because the middleware card recognizes all tested certificates readers, however it seems that Adobe is not able to find the card reader. It has happened with several teams. In one team made a clone and deploy it to another machine with the same hardware environment, the firm run properly in the pdf that clone, however on the original computer is not working.
  You have any idea what could be the problem? Thank you very much in advance.

  If the digital ID's corresponding public-key certificate is not getting added to either the Windows Certificate Store, or Mac Keychain Access when you plug the card into the card reader, then you need to load the PKCS#11 module via the Acrobat UI. The module will be a DLL on Windows or a bundle file on the Mac. The problem is there is no one file name to look for, you would need to consult the hardware's documentation to find the name of the file. Once you know the name you can add the P11 module from the Security Settings dialog and then Acrobat will then see the digital ID(s) loaded on the smart card.
  Steve

• Importing smart card certificates

  Has anyone run into any issues similar, where you cannot import the smart card certificates into the BlackBerry?
  Users have T-Mobile 8700g and the RIM Bluetooth smart card reader.
  We are able to pair the BB and the Reader.
  But we are stuck at the point where we import the user's smart card certificates.  This is affecting multiple users.  Users who have already imported their smart card certificates are working fine.
  The error displayed on the BlackBerry is "Error communicating with the smart card".
  The display on the reader is either "On C" (v1.0 reader drivers/software) or "On I" (v1.5.1 reader drivers/software).
  We have tried wiping both the handheld and the reader and starting from scratch.  S/MIME and reader drivers are installed on the BlackBerry.
  We have tried using OS 4.1 and 4.2 on the 8700s.  As well as reader drivers/software v1.0 and 1.5.1.
  We have tested using different IT Policies, including completely unrestricted.
  Not sure if this problem is specific to this model.

  There's a new CAC version out. (144k).  Does anyone knows if there is a hotfix for the new version?  We are having problems getting the reader to recognize the new CAC.    When we try to sign a message on the blackberry, we keep getting the error message "Error Communicating with the Smart Card".  We searched on Google and we found this hotfix and installed. It didn't work. I assume it was for CAC 72k and not 144k.
  Below is what we're running
  Device:  Blackberry Bold 9000
  Applications:
   Blackberry v4.6
   Blackberry Smart Card Reader v4.2
  Any assistance will be appreciated.  Thank you.
  VV

• Connect smart card reader over usb and access digital signature certificate

  Hi,
  I got digital signature certificate stored in a smart card.I places smart card into card reader and plugged usb port of server.
  I can see card reader in windows environment.My problem is to connect card reader and access digital signature certificate using java code.
  I thinh it needs javax.smartcardio but i did not find necessary jar file for jdk 1.5.xx.
  1- Where can i download jar fiel for javax.smartcardio for jdk 1.5.xx
  2- Is there a blog or forum thread to help me to use smart card over usb?
  Thanks.

  One of the beauty of Java is that when the Java VM does not let you do something (here: accessing a Smart Card), there is no way that a purely Java solution will add this functionality.
  Hence, what you ask simply can not be done in pure Java (1.)5. Some machine-specific non-java code is required. And you did not specify your target.
  Unless a jar file could contain machine-specific code (I don't know if this is the case, and I never made one such jar file), there seems to be no way a jar file could help.

• Anyconnect 4 - No valid certificates available. Please insert a smart card or install a valid certificate.

  Hi.
  I'm trying to use Anyconnect 4 as a 802.1x supplicant replacement.
  I'm trying to make a profile with Anyconnect Profile Editor, where the settings are WPA2 Enterprise where both machine and user must use certificates.
  I have downloaded the CA certificate from my Certificate Server, converted it to PEM and loaded it into the Profile Editor.
  But when I try to use the generated configuration.xml, I get this error:
  No valid certificates available. Please insert a smart card or install a valid certificate.
  If I load the xml file into Notepad++ I see that the certificate path is set to the path on the hard drive where I loaded it from, ie. D:\Certificate.pem
  Shouldn't that point to the Certificate Store instead?
  But even if I correct the path to something on the local hard drive, I still get the same error.
  So, any tips on how to use the Profile Editor correctly?
  Thank you.

  Hi,
  I looked at the website and can see that the Classic TPC card is supported on Vista. It is the 'Java-card based solution'. What do you mean when you say that I 'might need to obtain the software using BaseCSP to enumerate the certificates'? Windows 7 can enumerate
  them.
  I am having the exact same problem as you however can't even login to Win7.
  Did you ever find a fix for this?

• Windows smart card logon and kdc certificate (2008R2)

  dear, 
  we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
  Domain controller - windows server 2008 R2
  CA - windows server 2008 R2
  testing server - windows server 2008 R2
  when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
  card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
  The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
  when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
  logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
  There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
  We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx；http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
  the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there. 
  How could we resolve this problem? Thanks in advance 
  The output of "certutil -dcinfo verify" is :
  0: CTXDC
  *** Testing DC[0]: CTXDC
  **  Enterprise Root Certificates for DC CTXDC 
  Certificate 0:
  Serial Number: 781902753c5627b64bd4e45c38b648df
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/11 11:57
   NotAfter: 2018/4/11 12:07
  Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
  Certificate Template Name: CA
  CA Version: V0.0
  Signature matches Public Key
  Root Certificate: Subject matches Issuer
  Template: CA, Root Certification Authority
  Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
  **  KDC certificate for DC
  CTXDC 
  certificate 0:
  Serial Number: 611648d2000000000030
  Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
   NotBefore: 2013/4/21 12:05
   NotAfter: 2014/4/21 12:05
  Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
  Certificate Template Name: DomainController
  Non-root Certificate
  template: DomainController, domain controller
  Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  Application[0] = 1.3.6.1.5.5.7.3.1
  Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2
  Client Authentication
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/21 12:05
    NotAfter: 2014/4/21 12:05
    Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
    Serial: 611648d2000000000030
    SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
    Template: DomainController
    e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 54:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
      Delta CRL 55:
      Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
      8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
    Application[0] = 1.3.6.1.5.5.7.3.2
  Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1
  Client Authentication
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    NotBefore: 2013/4/11 11:57
    NotAfter: 2018/4/11 12:07
    Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
    Serial: 781902753c5627b64bd4e45c38b648df
    Template: CA
    24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Exclude leaf cert:
    33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
  Full chain:
    04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.5.5.7.3.2
  Server Authentication
      1.3.6.1.5.5.7.3.1
  Client Authentication
  1 KDC certs for CTXDC
  CertUtil: -DCInfo command completed successfully.

  The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
  I you do not use smartcards, do not worry.

• Smart Card Reader not showing correct certificates?

  Running 10.5.6 with an SCR331, G4 desktop. I have been using entourage, smart card reader, and CAC successfully for quite some time.
  My CAC was recently updated with new certificates. When I insert my card reader with CAC into my machine, the keychain (and Entourage) show the old certificates which aren't even on my CAC anymore. Obviously I can't get Entourage (or other websites) to work without being able to access the new certs.
  I verified the CAC & reader were good by looking at it using a windows XP machine. The three new certificates were there.
  I also used another Mac (lap top) to verify the certs. I inserted my reader into the lap top, and the keychain on that machine displayed the correct certificates.
  I have tried several methods of rebuilding/replacing my keychain without success. Is there another token that needs to be cleared? Any help in letting access the new certificates would be very much appreciated.
  Thanks,
  Bob

  If you did what a lot of people did you put your certs locally and you do not need to do this. Delete them from your keychain and just in cert your CAC. Then create a "IDPref" for the DoD site you are trying to access and you should be good to go. If you need help, I have written a good "How-to" on my webblog. Just do a search for "safari and CAC".
  Jonathan
  <Edited by Host>