howto-sclogon.txt

JAVA做的J2EE下CA认证系统 基于EJB开发

This is what should be done in order to get card that could be used for smartcard logon.

Please note that [x] refers to one of the references listed in the end of the file.

1. install PrimeCA and PrimeCard according to READMEs.
   choose to generate a first token.
   copy PrimeCard files to jboss after PrimeCA installation but before restart of jboss.

2. Add our root CA to the domain controller, the CA cert should contain a CDP (CRL Distribution Point extension).
   Do step 1 and 2 of the configuration instructions described in [1].

3. Generate the private key and create a certificate request on the domain controller.
   "Requesting Offline Domain Controller Certificates" in [0] describes how to.
   The request file will be called domaincert.req in the rest of this howto.

4. Define a certificate that fulfils all the requirements of [2] on EJBCA ,
   (Use Microsoft Template Value, CRL Distributions Point, KeyUsage, Enhanced KeyUsage 
   and GUID as AltName).
   A new certificate profile has to be defined. Use the ENDUSER template.
   Create an end entity profile using the new certificate profile.
   Do "certutil -dump domaincert.req" (see [0]). The "Other Name" in the "Subject Alternative Names"
   defines GUID. But the the two first two bytes (tag and length) 4 and 10 should not be a part of the bytes in the web admin GUI.
   Add the new end entity with the new end entity profile.
   
5. Issue the certificate 
   Open the domincert.req in an editor. Go to the "Certificate Enrollment" page and choose "manually".
   Paste the request into the GUI and select PKCS7. Save the result.

6. Install the certificate on the domain controller and publish it. [0] tells how to do.
   Execute "gpupdate /force" and "certutil -pulse"


7. define a publisher in "Edit Publishers"
   The following fields must be modified. Do not touch any other field:
    * Type. use AD
    * Hostname
    * Base DN. if the name of domain is int.primekey.se then set Base DN to CN=Users,DC=int,DC=primekey,DC=se
    * Login DN. set CN to the name of a user with privilege to publish users to AD. ex CN=Lars Silv閚,CN=Users,DC=int,DC=primekey,DC=se
    * Login Password. the password of the user above.
    * Use Fields in DN. Choose only CN

8. Try "Save and test connection" in "Edit Publisher". If it is not working read the document [2]
   and figure out what the problem is.

9. Import the CA certificate to "Enterprise NTAuth store" according to [3].

10. Define a certificate profile that fulfils the requirements of step 5 of [1].
    The profile should also use the previous defined publisher. Use HARDTOKEN_AUTHENC as template.

11. Edit the hard token profile so it uses the newly created certificate profile. But only for the "authenc" certificate.

12. Edit the end-entity profile for the Administration token so that it contains all fields needed according to step 5 of [1].

13. Add a user with the administrator token end entity profile.

14. On the client the root certifikate must be in the keystore of the machine (use the mmc snap-in for the local computer).
    This might be possible to fix with some group policy.


References
[0] http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
[1] http://support.microsoft.com/kb/281245
[2] http://support.microsoft.com/kb/291010
[3] http://support.microsoft.com/kb/295663