Configure Active Directory Certificate Services to Issue Windows Logon Certificates

We will now configure Microsoft Certificate Services to issue Windows Logon Certificates that can be used for Windows Smart card Login. Each user must obtain a unique Windows Logon Certificate that identifies them with their UPN. In a Windows Logon Certificate, the Subject Distinguished Name field identifies a particular user in Active Directory. A Windows Logon Certificate can be used from any Windows workstation – it is not tied to particular node.

You can export your key material (Windows Logon Certificate and private key) in PKCS12 format and import it into one or more smart cards. If the key material is created inside the token from the start, there is no way to back up the key material (the private key can never be exported from the hardware token).

We will create a new certificate template for Windows Logon Certificates that has only the Client Authentication flag set and the user’s UPN in the Subject Alternative Name.

Create Template for Windows Logon Certificate

On the VM running your Subordinate CA (in my case, intca.us.hughesnet.org), in Server Manager, click Tools/Certification Authority.

Expand PKIEdu Int CA. Click Certificate Templates. You should see the following (Figure 17-1).

Right-click Certificate Templates and choose Manage. You should see the following (Figure 17-2).

Right-click Smart card Logon and select Duplicate Template. You should see the following (Figure 17-3).

Click the General tab.

Set the Template display name to Windows Logon. This will change the Template name to WindowsLogon.

Set the Validity period to one year.

Select Publish certificate in Active Directory.

It should look like this (Figure 17-4).

Do not click OK yet.

Select the Subject Name tab.

Select Build from this Active Directory information.

Select Subject name format as Fully distinguished name.

Under Include this information in alternate subject name, select User principal name (UPN).

It should look like this (Figure 17-5).

Select the Extensions tab.

You will see that the Application Policies are currently set to Client Authentication and Smart card Login.

Those are correct for Windows Logon Certificates. See Figure 17-6.

There is now a new template called Windows Logon. See Figure 17-7.

Prepare for Issuing Windows Logon Certificates

In the Certification Authority app, right-click Certificate Templates and select New/Certificate Template to issue. From the list of certificate templates, find Windows Logon. See Figure 17-8.

Select it by clicking it, and then click OK. This will enable your new certificate template to be used for issuing new certificates.

Now right-click Certificate Templates and select Manage.

Find Windows Login in the list of templates. Right-click it and select Properties.

Select the Security tab (Figure 17-9).

Select who you want to be able to enroll Windows Logon Certificates (e.g., Authenticated Users), and select Read and Enroll.

It will now look like this (Figure 17-10).

Request and Obtain a Windows Logon Certificate Using mmc.exe

The next step is to use mmc.exe to request a Windows Logon Certificate for Administrator (the currently logged in user).

Start mmc.exe by selecting Start/Run and entering mmc.exe.

Click File/Add/Remove Snap-in. Select Certificates and then click Add. Select My user account. Click OK. Expand Certificates – Current User. Expand Personal. Expand Certificates. You should see something like the following (Figure 17-11).

Right-click the middle pane, and select All Tasks/Request New Certificate.

Ignore the Before You Begin page. Click Next.

You should now see the following (Figure 17-12).

Click Next.

You should now see the following (Figure 17-13).

Select Windows Logon. Click Enroll.

You should now see the following (Figure 17-14).

Congratulations, you have just issued a Windows Logon Certificate for the current user (Administrator). Click Finish.

In mmc.exe, you should now see the new certificate (Figure 17-15).

Double-click the new certificate to view its properties (Figure 17-16).

The ValidFrom date is when I issued this certificate.

The ValidTo date is one year from then.

I have a private key that corresponds to this certificate.

Now select the Details tab.

Under CRL Distribution Point, you should see an LDAP URL pointing to your AD server.

This is exactly what you need for a Windows Logon Certificate.

Now select the Certification Path tab. You should see the following (Figure 17-17).

The new certificate chains up to the PKIEdu Int CA Intermediate Cert. That cert chains up to the PKIEdu Root CA Root Certificate, which is trusted.

Congratulations! You have just issued a Windows Logon Certificate for Administrator.

Logging into Windows with a Windows Logon Certificate

To do this, you need a PKI type smart card (e.g., ACS ACOS5 EVO), a compatible smart card reader, and the ability to import your Windows Logon Certificate into it. All smart card vendors supply Windows apps to initialize blank cards and manage the contents (certificates and private keys) in those smart cards.

Microsoft Certificate Services installs your certificate in the Personal folder of your Certificate Store. In my case, the ACS Certificate Manager cannot import from the Certificate Store, but only from a PKCS12 file. By default, you cannot export the private key of your Windows Logon Certificate, so you have to request that the cert be exportable when you enroll for it.

On my workstation (LEHPC), which is a member of my HUGHESNET-US domain, I used mmc.exe to request a Windows Logon Certificate for my lhughes domain account. I right-clicked the Personal/Certificates list of certificates and chose Request New Certificate. See Figure 17-18.

Click Next. See Figure 17-19.

I am going to use a domain Certificate Services enrollment policy, so I click Next. See Figure 17-20.

I select the Windows Login template and expand Details (on the right), as shown in Figure 17-21.

To allow the certificate to be exportable, I click Properties.

In the Properties dialog, I go to the Private Key tab and then the Key options field. I check Make private key exportable. See Figure 17-22.

I then click OK. In the Certificate Enrollment dialog, I click Enroll.

The enrollment is successful (Figure 17-23).

In mmc.exe, the new certificate appears (Figure 17-24).

I double-click the new certificate to view it. See Figure 17-25.

Note that the purposes include Smart card Logon.

The cert was issued to Lawrence Hughes.

It was issued (signed) by PKIEdu Int CA.

The ValidFrom date is the day I issued the cert.

The ValidTo date is one year later.

On the Details tab, I can see more detailed information on this certificate:

Select Certification Path tab, as shown in Figure 17-26.

This certificate chains up to the PKIEdu Int CA Intermediate Certificate. That cert chains up to the PKIEdu Root CA Root Certificate, which is trusted.

This is exactly what I need for a Windows Logon Certificate for me.

I now insert a blank ACS ACOS5 EVO smart card in my USB smart card reader and use the ACS Initialization Manager App to initialize it.

I now use the ACS Certificate Manager app and enter the smart card PIN to allow me to import my Windows Logon Certificate into the smart card (Figure 17-27).

I click the green plus sign to add a new certificate. I select the PKCS12 file and enter the passphrase it is protected with. See Figure 17-28.

My Windows Logon Certificate is now in my smart card. See Figure 17-29.

Now I log out of my Windows workstation and log back in. This time, I select Smart card (if it is not already selected) and insert my smart card into the reader. I enter the smart card PIN. In a few seconds, I am logged in as [email protected], without having to enter my UPN or any password.

If I lose my smart card, I can create another one from the PKCS12 container or even issue a new Windows Logon Certificate and load that into a new smart card.