Placeholder

Key Containers / Default Certificate

Key Containers is a technicality within PKI. In some cases it can be good to know how to verify “default” certificate on smart card with multiple certificates. In Windows the certificates are enumerated with its Key Container. To know which one who is default can be good when working with applications that are missing logic and interface to choose between multiple certificates. Example of such applications are:

Novell-client with its own Gina

Runas.exe
runas /smartcard notepad

Net.exe
net use /smartcard \\datornamn\resursnamn

In scenarios for this type of applications only the default certificate can and will be used.

Before showing how to configure Net iD to change this behavior and show the ”correct” certificate, let´s go through how to control which certificate that is considered being the default.

You should not rely on the saying that the latest enrolled certificate is the default certificate. (Note! Latest enrolled is not always latest applied to smart card).

Here is a SITHS smart card with six user certificates

Key Containers/Default Certificate

Viewed with certificate snap-in in MMC

Key Containers/Default Certificate

Viewed with certutil.exe:

Start command prompt and run command:

certutil -viewstore -user My

Key Containers/Default Certificate

View keycontainers:

certutil -key -csp "Net iD - CSP"
Unfortunately certutil.exe does not show the corresponding certificate. But now we know the "Default Container".

Key Containers/Default Certificate

View a specific keycontainer, in this case the Default:

certutil -viewstore -user My B448DB9CFECFF8F8D62821147754220E9ED15CB3
This will show us the certificate. Remember to replace B448DB9CFECFF8F8D62821147754220E9ED15CB3 with your Default Container value.

Key Containers/Default Certificate

Good, now we know which certificate that is default by applications without logic and interface for selecting multiple certificates.

Certificate enrolled by Demo CA v1 is the default.

Key Containers/Default Certificate

But Net iD has the possibility to change this behavior using different parameters.

For example runas and certutil:

Certificate enrolled by SITHS Type 1 CA v1 is now the default.

Key Containers/Default Certificate

For example windows smart card logon using CertificateStoreMode parameter (order it is being read/stored):

Before: SITHS Type 1 CA v1 default.

Key Containers/Default Certificate

After: Demo CA v1 default.

Key Containers/Default Certificate

Net iD Full Credential Provider can also be used to configure default prompt of “correct” certificate.

For example:

Before: Demo CA v1 default.

Key Containers/Default Certificate

After: SITHS Type 1 CA v1 default.

Key Containers/Default Certificate

Dela denna artikel

Relaterat