Hi all, I wat to use smart card logon based on certificates from third party. No CA is in my Active directory environment. Following thos articles. http://support.microsoft.com/kb/281245 http://social.technet.microsoft.com/wiki/contents/articles/3824.updated-requirements-for-a-windows-server-2008-r2-domain-controller-certificate-from-a-3rd-party-ca.aspx In what way should I genereate CSR file for my domain controller? http://support.microsoft.com/kb/291010 If I use MMC/Certificates and create "Custom request" there is no option to fill Certificate Template Name - DomainController. "The certificate template must have an extension with the BMP data value "DomainController". What's the best way to create .csr for my domain controller?

I would have ask here. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Thanks

Hi all, I wat to use smart card logon based on certificates from third party. No CA is in my Active directory environment. Following thos articles. http://support.microsoft.com/kb/281245 http://social.technet.microsoft.com/wiki/contents/articles/3824.updated-requirements-for-a-windows-server-2008-r2-domain-controller-certificate-from-a-3rd-party-ca.aspx In what way should I genereate CSR file for my domain controller? http://support.microsoft.com/kb/291010 If I use MMC/Certificates and create "Custom request" there is no option to fill Certificate Template Name - DomainController. "The certificate template must have an extension with the BMP data value "DomainController". What's the best way to create .csr for my domain controller?

Ok. Thanx.

There is another problem with your scenario. What "third-party" CA do you want to use? Is it any "normal" public SSL/TLS CA? Are you sure that the public CA will issue the certificate for your domain controller? The domain controller certificate is not a standard "server certificate" as the public CAs call it usually. The certificate is special in that it must contain one of the three things that you already mentioned: the OID for KDC Authentication (1.3.6.1.5.2.3.5) the presence of the Template Name DomainController in the certificate (all flavors of MS CAs stamp this on certificates if it is a part of the request) the OID for SmartcardLogon (1.3.6.1.4.1.311.20.2.2) The requirements mean that the CA would have to include either KDC Authentication or SmartCardLogon OID into the Enhanced Key Usage of the issued certificate. I doubt that the public CA would add the CertificateTemplate extension at all. Although you can create a request that contain the SmartCardLogon or KDCAuthentication OID/s and submit such a request to the authority, I doubt any public CA that issues standard SSL/TLS web server certificates would include them anyway. Public CAs just take the request, ignore everything except for the public key, create a certficate with whatever fields they want themselves (Server Authentication and Client Authentication usually). So unless you are first sure that they issue certificates with SmartCardLogon and/or KDCAuthentication OIDs, you should consider your internal CA instead. ondrej.

Ahoj Ondrej :) The third-party CA is our foreign company partner. They have already build up its own MS CA (and SUB CA) and it's trusted for our domain (but domains are not trusted ). The "problem" is that they can't publish certificate for our DC online, so I have to send them CSR. the OID for KDC Authentication (1.3.6.1.5.2.3.5) the presence of the Template Name DomainController in the certificate (all flavors of MS CAs stamp this on certificates if it is a part of the request) the OID for SmartcardLogon (1.3.6.1.4.1.311.20.2.2) If one of these is present in the certificate, the KDC will consider it potentially usable as a DC certificate capable of servicing smartcard logons (if it also passes revocation checks). So if I have KDC Authentication included in DC certificate no other conditions (Template name or SmarecardLogon) have to be accomplished?

Nazdar! then ok. you cannot see the template in the request wizard because your forest does not have the templates installed in the configuration partition. You have two options: a) you can create the request manually. but this would be quite a pain, as you need to include the Server Authentication, Client Authentication, Smart Card Logon and ideally even the KDC Authentication in EKU, type in SAN: yourdomain.local, NETBIOSDOMAINNAME, dc1.domain.local (this is not necessary as you may have to reuse the certificate on several DCs), use RSA Schannel CSP, Encryption key type, 2048bit key, consider non-exportable or exportable key if you need to reuse, and may be something else. I am also not sure whether the enterprise CA would be willing to issue the certificate, because the request will not contain Certificate Template extension (you don't know ID of the template) b) you can export the templates from the CA's forest and import them into your own. Then the enrollment wizard will show you list of the templates and the request will be much simpler (I know, you don't have trust, so just copy the templates and OIDs): http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx#BKMK_CopyingPKI ondrej.

Nazdar! then ok. you cannot see the template in the request wizard because your forest does not have the templates installed in the configuration partition. You have two options: a) you can create the request manually. but this would be quite a pain, as you need to include the Server Authentication, Client Authentication, Smart Card Logon and ideally even the KDC Authentication in EKU, type in SAN: yourdomain.local, NETBIOSDOMAINNAME, dc1.domain.local (this is not necessary as you may have to reuse the certificate on several DCs), use RSA Schannel CSP, Encryption key type, 2048bit key, consider non-exportable or exportable key if you need to reuse, and may be something else. I am also not sure whether the enterprise CA would be willing to issue the certificate, because the request will not contain Certificate Template extension (you don't know ID of the template) b) you can export the templates from the CA's forest and import them into your own. Then the enrollment wizard will show you list of the templates and the request will be much simpler (I know, you don't have trust, so just copy the templates and OIDs): http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx#BKMK_CopyingPKI ondrej.

Thanx Ondrej. Firstly I will try to generate .CSR file without Certificate template name. Your B) sollution looks also friendly. That would be second try. I let you know. Tomas

pokud chcete kdyztak mluvit cesky, tak mam email ondrej zavinac sevecek tecka com o.

Hi Tomas, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.