mirror of
https://github.com/samba-team/samba.git
synced 2025-01-07 17:18:11 +03:00
b0bdbeeef4
This is partly based on the SmartCard HowTo from: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
42 lines
1.2 KiB
INI
42 lines
1.2 KiB
INI
#[ usr_cert_scarduser ]
|
|
[ template_x509_extensions ]
|
|
|
|
# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
|
|
|
|
# This goes against PKIX guidelines but some CAs do it and some software
|
|
# requires this to avoid interpreting an end user certificate as a CA.
|
|
|
|
basicConstraints=CA:FALSE
|
|
crlDistributionPoints=URI:$CRLDISTPT
|
|
|
|
# For normal client use this is typical
|
|
nsCertType = client, email
|
|
|
|
# This is typical in keyUsage for a client certificate.
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
nsComment = "Smart Card Login Certificate for @@USER_PRINCIPAL_NAME@@"
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
|
|
# This stuff is for subjectAltName and issuerAltname.
|
|
|
|
subjectAltName=email:copy,otherName:msUPN;UTF8:@@USER_PRINCIPAL_NAME@@
|
|
|
|
# Copy subject details
|
|
issuerAltName=issuer:copy
|
|
|
|
nsCaRevocationUrl = $CRLDISTPT
|
|
#nsBaseUrl
|
|
#nsRevocationUrl
|
|
#nsRenewalUrl
|
|
#nsCaPolicyUrl
|
|
#nsSslServerName
|
|
|
|
#Extended Key requirements for client certs
|
|
extendedKeyUsage = clientAuth,scardLogin
|
|
|