Ondrej Sevecek's English Pages

When you configure a certificate template for VSC logon and select Microsoft Smart Card Smart Card Key Storage Provider, the selections on the Key Attestation tab become unavailable, and certificates issued against this template don't have any of the attestation EKU's (purposes).

yes, it is problem of Win10 using different KSP vs. certificate templates MMC (certtmpl.msc) stubbornly insisting on the Platform Crypto Provider. You can always modify the template in ADSIEdit :-)

Thanks for your reply.  Can you give an example of solving this issue by modifying a certificate template using ADSIEdit?

just create the template in GUI as required except for the provider. then modify the provider name with ADSIEdit - CN=templatename,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,...

this way it worked for me

Thanks for your reply.  Can you give an example of solving this issue by modifying a certificate template using ADSIEdit?

Using Server 2016 TP5 (not Windows 10) certtmpl.msc GUI, you can set the provider to Microsoft Smart Card Key Storage Provider, and you can select to require Key Attestation and to perform Key Attestation based on Hardware certificate or Hardware key.  So selection in the GUI is not a problem.

Request handling is set to "Signature and smartcard logon".

However, if you request a certificate based on this template using the certmgr.msc GUI, the request fails with "the request does not support private key attestation as defined in the certificate template"

My workaround is to use two templates. Enroll for Certificate 1, and use that as the required signing certificate for Certificate 2, as detailed below.

First, setup hardware key attestation (file whose name is the SHA2546 hash of the TPM endorsement key), hardware certificate attestation (create containers for Endorsement Key Root and Intermediate certificates, and imported TPM manufacturer's root and intermediate certificates into them), or both.  If using certificates, you need to import the TPM manufacturer's root certificate into the Trusted Room Certification Authorities as well.

Template 1 - TPM-Key-Attestation.  Microsoft Platform Crypto Provider, RSA algorithm, Require Key Attestation using hardware key, hardware certificate or both, Extensions: Endorsement key verified, Endorsement key certificate verified, or both), Authenticated Users Enroll permission.

Template 2 - Smartcard-Logon.  Microsoft Smart Card Key Storage Provider, RSA algorithm, no key attestation, Issuance Requirements: 1 authorized signature, for Issuance policy: Endorsement key verified, Endorsement key certificate verified, or both), Authenticated Users Enroll permission.

thanks for sharing. I didn't have a time to check the first issue you mentioned so I plan to do a more comprehensive test on Monday including your new discoveries. thank you.