7 Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2009 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 October 13, 2009 ii
Contents Introduction... 4 Gemalto.NET 2.0 Card... 4 Windows Smart Card Framework architecture... 5 Installing Microsoft Certificate Services... 6 Installation... 6 Configuring Microsoft Certificate Authority... 12 Duplicate the Smartcard User template... 12 Publish the templates... 16 Issuance of a User Certificate on a Gemalto.NET Smart Card... 18 Enroll the Enrollment agent certificate... 18 Enroll on behalf the Smart User certificate... 21 Glossary... 24
Introduction The purpose of this document is to provide a quick reference guide for the installation and basic configuration of Microsoft Certificate Services, This document is NOT a comprehensive guide on Microsoft Certificate Services, it just proposes a basic setup to enable enrollment of certificates on Gemalto.NET 2.0 Smart Cards. For further information on Microsoft Certificate Services, please refer to Microsoft s documentation. Gemalto.NET 2.0 Card Gemalto.NET smart cards run a streamlined version of the.net Framework in order to provide customizable two-factor authentication and full cryptographic capabilities seamlessly within the Windows environment. Now, organizations can easily leverage Gemalto s advanced smart card technology to secure their networks from end to end using a variety of security technologies to meet their needs while dramatically reducing implementation costs and complexity. Gemalto.NET smart cards are natively supported in Microsoft Vista. For Windows 2000, XP and Server 2003 they are integrated with Microsoft s Base Smart Card Cryptographic Service Provider (CSP) Package, which is available for download via Windows Update. As a result, users do not need to install any proprietary middleware to use the Gemalto.NET Card. Gemalto.NET smart cards are also compatible with Microsoft s Identity Lifecycle Manager (ILM), a policy and workflow solution for management of the lifecycle of digital certificates and smart cards. Thanks to this high level of integration with Microsoft s Operating Systems and smart card related security solutions, Gemalto.NET smart cards offer the easiest and most cost efficient solution for implementation of a strong two-factor security infrastructure. The Gemalto.NET 2.0 smart card architecture also provides an open platform for the development and implementation of a wide range of security solutions. It works as a 4
Windows Smart Card Framework architecture In the past, smart card vendors made and maintained a monolithic Cryptographic Service Provider (CSP) for their own smart cards. Vendors had to write complete, custom, software CSPs to enable smart card scenarios for their cards. The new Windows Smart Card Framework architecture is layered to separate the basic required cryptography components at the top from the unique smart card hardware interfaces at the bottom; the unique hardware-specific interface for a given smart card receives the name of Minidriver (formerly called Card Module) and takes the form of a Dynamic Link Library (dll). Minidrivers leverage the common cryptographic components now included in the Windows platform. This new architecture has been implemented in the Crypto API Next Generation (CNG) as part of the Microsoft Windows Vista OS, and is called the Microsoft Smart Card Key Storage Provider (KSP). The cryptography for smart cards has also been implemented in the legacy Crypto API (CAPI) for Windows 2000 SP4, XP SP2 and Server 2003 SP1, and is known as the Microsoft Base Smart Card Cryptographic Service Provider (Base CSP). The Base CSP is not supported natively in these legacy Operating Systems, but it is available as Microsoft Windows Update # KB909520. NOTE: The Microsoft Base Smart Card Cryptographic Service Provider should not be confused with the Microsoft Base Cryptographic Provider v1.0, which is the default, non smart card software CSP in Windows. Base CSP and KSP provide the common software cryptographic portions, while the MiniDriver of a given smart card compliant with this architecture simply plugs in to provide access to the hardware and software of that particular smart card. Figure 1 illustrates the two Smart Card CSP architectures. From an application developer perspective, the Base CSP, KSP and Minidriver interfaces provide a common way to access smart card features, regardless of the card type. For users, the new architecture includes support for all preexistent smart card scenarios, and it also provides new tools for the management of the Personal Identification Number (PIN). Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services 5
Installing Microsoft Certificate Services Prerequisites Prior to the installation of Microsoft Certificate Services, you shall verify your system complies with the following required components: Fully patched Windows 2008 Server o Configured as an Active Directory domain controller o Or join an existing Active Directory domain. Must have administrative privileges to the server. Know the common name for Microsoft Certificate Authority to be defined during the CA installation. Microsoft Base Smart Card Crypto Service Provider (Base CSP) installed A PC/SC compliant Smart Card Reader (USB, Serial or PCMCIA) Installation 1. Start the Service Manager and click Add Roles 6
2. Select Active Directory Certificate Services 3. Next 4. Select Certification Authority, Certificates Authority Web Enrollment, Online Responder 7
5. Click on Add Required Role Services as IIS is not installed and required. 6. Check Enterprise, Click Next 7. Check Root CA, click Next 8
8. Check Create a new private key, click Next 9. Select SHA256 Warning: Operating System below the version XP SP3 can t use certificate signing with a SHA256 key. 10. Name of the CA: MyCA (in this case) 9
11. Enter for the validity period: 5 years 12. Next 13. Next 10
14. Next 15. Click Next and then the installation starts 11
Configuring Microsoft Certificate Authority The following certificate templates need to be published by the CA: Enrollment Agent: An enrollment agent certificate needs to be issued to any user who will request smart card certificate on behalf of another user during issuance Smart Card User: Any user issued a certificate based on this template may use it for Smart Card Logon, Client Authentication, secure email. This template will be customized by duplicating the existing one. Duplicate the Smartcard User template 1. Click Start/Administrative Tools/Certification Authority 2. Expand defined CA 3. Right-click Certificate Templates and Select Manage 12
4. Right-click on Smartcard User and Select Duplicate Template 5. Select the appropriate Certificate Template Version. In the Properties of New Template, setup this template as described below. 13
1. In the General tab, modify the name to MySmartcardUser, increase the Validity period and the Renewal period and select Publish certificate in Active Directory. 2. In the Request Handling tab, click on the CSPs button 14
3. Select Requests must use one of the following CSPs 4. Select, in the list of CSPs, Microsoft Base Smart Card Crypto Provider 5. Click on the Issuance Requirements tab 6. Click This number of authorized signatures and fill the number 1 7. Select Application policy 8. About Application policy, select Certificate Request Agent 15
Publish the templates 1. Right-click Certificate Templates and Select New Certificate Template to Issue 2. Select Enrollment Agent and click OK to add 1. Right-click again on Certificate Templates and Select New Certificate Template to Issue 2. Select Enrollment Agent and click OK to add 16
3. Check you have the MySmartcardUser and Enrollment Agen templates available in Certificate Templates. 17
Issuance of a User Certificate on a Gemalto.NET Smart Card Enroll the Enrollment agent certificate 1. Ensure that the Base CSP package has been downloaded and installed on the client machine where the smart card user certificate will be issued. For the Gemalto.NET smart card there is no additional software that needs to be installed. 2. Launch the MMC. 3. Add Certificates Snap-In: Click on Files, Click on Add/Remove Snap-in. 18
4. Select Certificates, click Add. 5. Select My user account, and Finish 6. Click OK 19
7. Back to the MMC Console, right click on the Personal container All Tasks Request New Certificate 8. Click on Next for the two next windows, in the third window, select the Enrollment Agent certificate and then Enroll 9. The Enrollment Agent certificate is well enrolled. Click on Finish 20
10. This certificate is stored in the personal container. Enroll on behalf the Smart User certificate 1. Back to the MMC Console, right click on the Personal container All Tasks Advanced Operations Enroll On Behalf Of 2. About the Signing certificate. Click on Browse. 3. Select the Enrollment Agent Certificate. 21
4. Click Next 5. Select My Smarcard User template and click next. 6. Select the End User. 22
7. Enter the pin code 8. The smart card is enrolled and can be used for smartcard logon for example. 23
Glossary Base CSP Microsoft Base Smart Card Crypto Service Provider API Application Protocol Interface CAPI Cryptography API CNG Crypto API Next Generation CSP Cryptographic Service Provider PIN Personal Identification Number KSP Key Storage Provider CMS Card Management System 24