Vi växer och söker nya medarbetare
Key Containers is a technicality within PKI. In some cases it can be good to know how to verify “default” certificate on smart card with multiple certificates. In Windows the certificates are enumerated with its Key Container. To know which one who is default can be good when working with applications that are missing logic and interface to choose between multiple certificates. Example of such applications are:
Novell-client with its own Gina
runas /smartcard notepad
net use /smartcard \\datornamn\resursnamn
In scenarios for this type of applications only the default certificate can and will be used.
Before showing how to configure Net iD to change this behavior and show the ”correct” certificate, let´s go through how to control which certificate that is considered being the default.
You should not rely on the saying that the latest enrolled certificate is the default certificate. (Note! Latest enrolled is not always latest applied to smart card).
Here is a SITHS smart card with six user certificates
Viewed with certificate snap-in in MMC
Viewed with certutil.exe:
Start command prompt and run command:
certutil -viewstore -user My
certutil -key -csp "Net iD - CSP"
Unfortunately certutil.exe does not show the corresponding certificate. But now we know the "Default Container".
View a specific keycontainer, in this case the Default:
certutil -viewstore -user My B448DB9CFECFF8F8D62821147754220E9ED15CB3
This will show us the certificate. Remember to replace B448DB9CFECFF8F8D62821147754220E9ED15CB3 with your Default Container value.
Good, now we know which certificate that is default by applications without logic and interface for selecting multiple certificates.
Certificate enrolled by Demo CA v1 is the default.
But Net iD has the possibility to change this behavior using different parameters.
For example runas and certutil:
Certificate enrolled by SITHS Type 1 CA v1 is now the default.
For example windows smart card logon using CertificateStoreMode parameter (order it is being read/stored):
Before: SITHS Type 1 CA v1 default.
After: Demo CA v1 default.
Net iD Full Credential Provider can also be used to configure default prompt of “correct” certificate.
Before: Demo CA v1 default.
After: SITHS Type 1 CA v1 default.
Dela denna artikel