Certificate Requirements for Smart Card Logon
Updated: February 18, 2010
Applies To: Windows 7, Windows Server 2008 R2
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems.
| Component | Requirement |
|---|---|
CRL distribution point location |
The location must be specified, online, and available. For example: [1]CRL Distribution Point |
Key usage |
Digital signature |
Basic constraints |
[Subject Type=End Entity, Path Length Constraint=None] (Optional) |
Enhanced key usage |
|
Subject alternative name |
Other Name: Principal Name=(UPN). For example: UPN=user1@contoso.com The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3. The UPN OtherName value must be an ASN1-encoded UTF8 string. |
Subject |
Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
There are two predefined types of private keys. These keys are Signature Only (AT_SIGNATURE) and Key Exchange (AT_KEYEXCHANGE). Smart card logon certificates must have a Key Exchange (AT_KEYEXCHANGE) private key type.
You can enable any certificate to be visible for the smart card credential provider.
| Component | Requirement | ||
|---|---|---|---|
CRL |
Not required |
||
UPN |
Not required |
||
Key usage |
Digital signature |
||
Enhanced key usage (EKU) |
The smart card logon object identifier is not required.
|
||
Subject alternative name |
E-mail ID is not required for smart card logon. |
||
Key exchange (AT_KEYEXCHANGE field) |
Not required for smart card logon certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
.gif)
Note