What are the OIDs (KU and EKU) necessary for Smart Card Authentication in Windows?

Question

MSFT smart card authentication is listed in PKINIT RFC 4556 however I don't see any OIDs listed.

Based on this and this KB article the EKU section of the certificate should contain "Client Authentication" or "Microsoft smart card".

I believe I found the OID of the EKU section here

OID=1.3.6.1.5.5.7.3.2       ; XCN_OID_PKIX_KP_CLIENT_AUTH  Client Authentication (KB291010)

I also found a list of possible OIDs here

 OID=1.3.6.1.4.1.311.20.2.2  ; XCN_OID_KP_SMARTCARD_LOGON

What are the requirements for SmartCard encryption with Windows?

score 2 · Accepted Answer · answered Jun 01 '12 at 17:55

Many of the requirements are listed in this KB article http://support.microsoft.com/kb/281245

The smart card certificate has specific format requirements:

The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available.

For example:

CRL Distribution Point Distribution Point Name: Full Name: URL=http://server1.name.com/CertEnroll/caname.crl

Key Usage = Digital Signature

Basic Constraints [Subject Type=End Entity, Path Length Constraint=None] (Optional)

Enhanced Key Usage =

Client Authentication (1.3.6.1.5.5.7.3.2) (The client authentication OID) is only required if a certificate is used for SSL authentication.)

Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

Subject Alternative Name = Other Name: Principal Name= (UPN). For example:

UPN = user1@name.com

The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"

The UPN OtherName value: Must be ASN1-encoded UTF8 string

Subject = Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.

1 Answers1