Multiple Certs on Smartcard and Windows Smartcard Logon

Discussion in 'Server Security' started by Dave W, Jul 8, 2005.

  1. Dave W

    Dave W Guest

    I've a set of requirements that a customer has asked me to engineer a
    solution for... but need some advice.

    Users will have smartcards for storing multiple key pairs / certificates.
    They will have as a minimum, a user non-repudiation signing key & cert, a
    role (bit like a job title) non-repudiation signing key and cert and a
    smartcard logon key pair and cert.

    My question is... is the Windows SmartCard logon "intelligent" enough to
    select the correct authentication key pair (I'm sort of guessing that it can
    look in the certificates' key usage for a smartcard logon usage (OID?)).

    Any advice would be extremely welcome.


    Dave W, Jul 8, 2005
    1. Advertisements

  2. Dave W

    Brian Komar Guest

    No. The authentication certificate and key pair must be stored on Slot 0
    of the smart card. If you want a user to have a "normal" logon
    certificate and a "role" logon certificate, you will have to implement
    two smart cards, one for each role.

    You can have multiple certificates on a smart card. For example, you
    could add:
    - S/MIME signing
    - S/MIME encryption
    - Code Signing
    - Document Signing
    - Key Recovery
    etc. Anything except EFS encryption and EFS recovery (which are not
    supported on smart cards)

    In the future, there are plans to allow multiple authentication certs on
    a single smart card, but that would only be in the Longhorn time frame.

    Brian Komar, Jul 10, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.