Certificate Requirements for Smart Card Logon
Updated: February 18, 2010
Applies To: Windows 7, Windows Server 2008 R2
Certificate requirements for Windows XP and earlier
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems.
| Component | Requirement |
|---|---|
CRL distribution point location |
The location must be specified, online, and available. For example: [1]CRL Distribution Point |
Key usage |
Digital signature |
Basic constraints |
[Subject Type=End Entity, Path Length Constraint=None] (Optional) |
Enhanced key usage |
|
Subject alternative name |
Other Name: Principal Name=(UPN). For example: UPN=user1@contoso.com The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3. The UPN OtherName value must be an ASN1-encoded UTF8 string. |
Subject |
Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
There are two predefined types of private keys. These keys are Signature Only (AT_SIGNATURE) and Key Exchange (AT_KEYEXCHANGE). Smart card logon certificates must have a Key Exchange (AT_KEYEXCHANGE) private key type.
Certificate requirements for Windows Vista and Windows 7
You can enable any certificate to be visible for the smart card credential provider.
| Component | Requirement | ||
|---|---|---|---|
CRL |
Not required |
||
UPN |
Not required |
||
Key usage |
Digital signature |
||
Enhanced key usage (EKU) |
The smart card logon object identifier is not required.
|
||
Subject alternative name |
E-mail ID is not required for smart card logon. |
||
Key exchange (AT_KEYEXCHANGE field) |
Not required for smart card logon certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
.gif)
Note