What do we need signature for? What idea does a signature in a document emanates?

Well, a signature is nothing but a way of authenticating any document. Whenever we need to substantiate any document, papers, file etc. a mere signature at the bottom does it all.

But we live in a world of internet where all the documents that are shared are made and exchanged online. All the personal, legal, official, and even confidential information now-a -days are communicated online. All this sudden hike in online documentation and sharing calls for a method of authenticating an online document.

  • 1 day ago  Unnati is issuing one-click shareable, verifiable and secure digital certificates via Certif-ID. Certif-ID's vendor-neutral solution seamlessly integrates with Unnati's Learning Management Software and brings together all certification, verification and database information into one central platform - eliminating creation, approval.
  • The Content tab from the Certificates pane, click Certificates The Certificate Manager window will appear. Select the Certificate(s) to be deleted and click Remove. In the next Certificate Manager window click Yes. Repeat steps 3 thru 5 (if necessary) until all certificates are removed. Insert your CAC into the.
  • To setup Digital ID on your account, please be guided by this Microsoft article 'Using digital IDs to sign or encrypt Windows Mail messages'. Should you have other questions or any other concerns, please reply to thread and we will be happy to further assist you.

The Digital ID will be stored in the Windows Certificate Store where it is available to other Windows applications and protected by your Window login. For more information about how the Plug and Play (PnP) device installation uses the digital signature of a driver package'scatalog file, see Digital Signatures and PnP Device Installation.

What is a digital signature?

A Digital signature is a way to warrant any online data or document. In other words it is used to authenticate digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Moreover, a digital signature in a document helps us affirm that the document is not meddled or tampered with after it is signed by the legitimate authority by converting the file into a ‘Read Only’ format immediately after signing.

Authenticity of a document – A Digital Certificate

A Digital Certificate is, in a way, an ‘identity proof’ of the digital signature. There are two methods of getting a certificate.

  1. Getting it from a certificate authority or Microsoft partner – If you plan to exchange digitally-signed documents together with other people, and you want the recipients of your documents to be able to verify the authenticity of your digital signature, you can buy a digital certificate from a reputable third-party certificate authority (CA) or from Office Marketplace.
  2. Create your own certificate – If you do not want to purchase digital certificate from a Certificate Authority, you can create your own digital certificate.

NOTE – In this case if you share your digitally signed document with other people, they cannot verify the authenticity of the document without manually trusting the source.

How can digital signatures be used in Office documents?

There are in total two different ways to verify office documents with the help of digital signatures. You can either –

  1. Add visible digital signature to a document.
  2. Add an invisible digital signature to a document.

Both these methods are illustrated below.

Add visible signature to a document –

After the editing part of your document has ended, the final step that remains to make your document authentic is adding a digital signature to it. Given are the few steps to add digital signature to your word document –

  1. Place your pointer to the location where you want to insert your signature. Now click on the ‘Insert’ tab and then in the options that appear, click on ‘Signature line’ or ‘Microsoft office signature line’ (top right corner).
  1. If you are doing this for the first time, a small window might hop up at the center of your screen, like this one –
    Click OK. Then another window might show up looking like –

    Here you can either get a certificate from a Microsoft partner or you may create your own digital ID. I would suggest, for the time being, you should go with the second option and click OK and then fill your relevant details.

    Once you are done filling, click Create and your digital ID is made.

  2. Now a signature setup box appears on your screen demanding some information.
    • Suggested signer: Signer’s full name.
  3. Suggested signer’s title: Signer’s title(optional).
  4. Suggested signer’s e-mail address: Signer’s e-mail address (optional).
  5. Instructions to the signer: Add instructions for the signer (if needed).

Fill this data and select one or the both checkboxes (optional) given below and click OK.

  • Now a box appears on your document looking like this –
    Double click on this box (or right click and select Sign from menu).

    Now to add printed version of your signature, type your name in the box next to X. Or you can also upload an image/logo by clicking on ‘Select Image’ option and selecting the image you like.

    Now click the ‘Sign’ button.

  • A message will now pop up on your screen like this one here. Click OK and you are done.

Your visible signature is now uploaded in your document making it a ‘read only’ file. You may remove or look into this signature by right clicking on the signature block and selecting ‘Remove signature’ or ‘signature setup’ respectively.

Add invisible signature to a document –

If you do not need to insert visible signature lines into a document, but you still want to provide assurance as to the authenticity, integrity, and origin of a document, you can add an invisible digital signature to it.

For this, after your document is complete, go to ‘File’ (top left corner). In the drop down menu go to ‘Info’ and then click on ‘Protect Document’.

Again a drop down menu will appear. In this menu, click on ‘Add a Digital Signature’ button. A small window will now pop up on your screen like the image shown.

In this window, fill the relevant details (optional) and then click on ‘Sign’. Again a dialog box will appear as illustrated in point 5 above. Click on OK.

And you are done! Your document is added with an invisible signature and converted into un-editable file. An image at the bottom bar tells that the document is protected. It looks like –

This is how you can easily authenticate your Word documents by adding visible or invisible Digital Signatures to it.

If you couldn’t follow something from our article, please do tell us. We would be delighted to help you.

  • 1Allowing Smart Card Login to a Samba4 Domain
    • 1.1Introduction
      • 1.1.4Smartcard Hardware
    • 1.2Basic Setup of Test Environment
      • 1.2.1Client OS
    • 1.4Create a Certificate Authority and Create Certificates, Related Cryptographic Items
      • 1.4.3Create the CA Root Certificate
      • 1.4.4Obtain Each User's User Principal Name (UPN) and the Domain Controller's GUID
    • 1.5Set up the CRL Distribution Point
    • 1.6Configure the Samba Domain Controller
    • 1.7Configure Windows to Accept Your CA
    • 1.8Import User Certificate to Smart Card
    • 1.10Additional Notes and Thoughts


What This HOWTO Covers

This HOWTO walks through one way to get smart card login functionality working on Windows 7/8 clients that are joined to an Active Directory domain hosted by a Samba 4 AD domain controller.

What This HOWTO Doesn't Cover

Some of the many related topics this HOWTO doesn't cover:

  • In this HOWTO, the private keys are generated in software, stored on disk and then loaded onto the smart card. Some might prefer to generate the keys on the smart card itself, so that the key material never leaves the card. How to do that is well beyond the scope of this HOWTO.
  • I used the smart cards and smart card reader that I used -- and no others. How to select among the many Windows-compatible smart card(s) and reader(s) available is a topic outside the scope of this HOWTO.
  • This HOWTO will not cover obtaining and installing Windows drivers for your smart card reader or your smart card. There's just too many of them. That being said, if the information isn't easily obtainable from the vendor, then I would advise you to consider if that vendor is someone from whom you should be buying items that you have to place your full trust in.
  • This HOWTO will touch on, but not cover how to transfer certificates to your smart card. I do mention one tool that might work for a certain type of card, but even a walkthrough for that tool would be specific to the card I use.

Domain Information

Server (Niagra)

  • Operating System: Ubuntu Server 12.04.1 LTS
  • Samba version: 4.0.1
  • Installation Directory: /usr/local/samba
  • Server Hostname: niagra
  • DNS Domain Name: greatlakes.example.com
  • NT4 Domain Name: GREATLAKES
  • IP Address: (static)
  • Server Role: DC
  • DNS Backend: Internal

Client (Buffalo)

  • Operating System: Windows 7 Professional SP1, fully patched
  • IP Address configured via DHCP, with a static DNS entry.

Smartcard Hardware

Although this HOWTO does not cover the ins-and-outs of working with smartcards -- as I said, there are a lot of different varieties out there, each fitting different types of users and needs -- here's the card and reader I used for those interested. This equipment met my needs. YMMV.

Smartcard Reader: Gemalto PCExpress

This is an ExpressCard/54 form-factor smart card reader. Apparently, Gemalto now sells this reader under the name 'IDBridge CT510.' Windows 7 and 8 drivers are available on Gemalto's website, and through the Microsoft Update Catalog website.

Smartcard: Gemalto .NET v2+ Smartcard

This card has been replaced by the 'IDPrime .NET' family of cards. The one I used appears to be closest to the 'ID Prime .NET 510' in functionality.

Windows 7 and 8 drivers can be downloaded from Gemalto's website.For Windows you will, at a minimum, need to have the card minidriver installed. The minidriver provides access to the smartcard for Windows, and is all you'll need to have installed in order to use this particular card for windows client logins once the card has the necessary certificates installed on it.

Microsoft's Wunderlist to-do app has been living on borrowed time for a while now. It was back in 2017 when the software giant announced it would be phasing out the app, which strangely enough, Microsoft had only purchased in 2015. Download Software Download. Free and safe download. Download the latest version of the top software, games, programs and apps in 2020. The Download App is a free application from Download.com that helps keep the software on your Windows computer up-to-date, as well as clean up the. Download application for computer. With amazing new capabilities and updates to features you use every day, iOS 8 is the biggest iOS release ever. Learn more about iOS 8; The latest version of OS X features an elegant design, includes enhancements to the apps you use most, and enables your Mac and iOS devices to work together in new ways. CNET Download provides free downloads for Windows, Mac, iOS and Android devices across all categories of software and apps, including security, utilities, games, video and browsers.

Gemalto also provides a PKCS#11 library for this card that allows applications to communicate with it via the standard PKCS#11 interface. Examples of such applications include Mozilla Firefox and Truecrypt. Using the PKCS#11 library, you can add and delete certificates from the smartcard within Firefox, and you can also set the smartcard's PIN. However, as far as I know, you can't use Firefox to change the card's admin/unblock key, which, on the Gemalto cards at least, is set to a default of all zeros. If you want to use these cards outside a casual setting, make sure you change the admin/unblock key. Gemalto distributes the PKCS#11 libraries as pre-compiled libraries, so they are OS-family specific. Currently, there's one for Windows and one for MacOS X 10.7-10.8 available on the relevant Gemalto download page. The Gemalto website states elsewhere that there is a Linux version of the library available by special request.

Basic Setup of Test Environment

I generally followed the Main Samba HOWTO, up until the point where the Windows client sucessfully joined the domain. I deviated in a few ways, listed here.

Client OS

I used Windows 7 as my client instead of Windows XP.

Windows XP Warning

The directions in this HOWTO currently do not result in successful smart card logins on Windows XP clients. The Samba log will show a sucessful Kerberos authentication, but the logon will fail on the Windows XP client with an error message in the event log about an 'Invalid algorithm specified.'

I suspect the problem is that I (sanely) used SHA256 as my signing hash. Windows XP did not support the SHA2 suite of hashes at all until Service Pack 3, and even then, there are still issues. One possible fix (that I have not tried) would be to replace 'sha256' with 'sha1' in the OpenSSL configuration file provided, and in the command used to generate the Root CA certificate, and then see if the resulting set-up successfully works on Windows XP. But even if it does, is it really worth it, given the reasons why you'd use a smart card for login?

Package Installation

In addition to the packages listed in the Samba HOWTO, I also installed the following packages on the Ubuntu server that was running Samba:

  • libaio-dev
  • lighttpd (for CRL distribution point)


Samba 4.0.1 was configured as follows:


The Active Directory domain was provisioned as follows:

User Configuration and Directory Organization

For this HOWTO, I have created two users: Tina Admin, with the username tina and password 1123Eureka5; and Jerry User, with the user name jerry and password pa$$w0rd. The single client Windows workstation is named Buffalo. The directory is organized as follows:

Create a Certificate Authority and Create Certificates, Related Cryptographic Items


  • OpenSSL: You will need to have working OpenSSL 1.0.1 binaries. I used OpenSSL 1.0.1c on Windows. I believe 1.0.0 binaries will work as well, but I have not tested this.
  • Smartcard, Smartcard Reader and Windows drivers. You'll also need to have installed the drivers for both the card reader and the card on any Windows client where you will login with a smart card.
  • CRL Distribution Point (CDP): Microsoft requires that smart card certificates pass a revocation check when a login is attempted. Therefore, you will need to set up a location that each workstation can access (webserver, ftpserver, ldap, etc.) where Certificate Revocation Lists (CRLs) for the CA can be obtained.

For the purposes of this HOWTO, the CDP location will be http://crl.greatlakes.example.com/greatlakes.crl, and will be hosted on a webserver on the domain controller. In general, one should not host other externally accessible services on the directory server, but this shouldn't be an issue for the purposes of this limited setup. As mitigation, the CDP server name will be an alias set up as a DNS CNAME record, so that the CDP server can be moved to another server later. As an alternative, I believe that one could set up an LDAP CDP within the directory, which the MS support document shows is acceptable for the purpose of revocation checking during logon. I am not sure how to set this up, however.

Create the Base CA Structure

A base OpenSSL configuration file is show below. You will need to customize it for your location.

Follow these steps to set up the basic CA structure:

  1. Create a directory for the CA, which will be refered to as the CA Base Directory.
  2. Copy the base configuration file to that directory, edit it where indicated, and name it openssl.cnf
  3. Create the following directories in the CA Base Directory: certs, crl, private, newcerts
  4. Create a blank text file named index.txt in the CA Base Directory.
  5. Create the 'serial' file:
  6. Create the 'crlnumber' file:

Create the CA Root Certificate

Make the Root Certificate

From the CA Base Directory, execute the following command:

You will be prompted for a password for the CA private key. You will need it to issue any certificates signed by the CA. You will then be asked to provide other information that will be incorporated in to the certificate.

If all goes well, a public CA root certificate will be created in the CA Base Directory with the name cacert.pem. The private key will be created in the directory 'private', with the name cakey.pem. Remember that anyone with the CA key (and the password for it) can issue certificates from the CA -- and create valid login credentials for your domain.

Verify the Information in the Root CA Certificate

Using the following command, output the CA root certificate to text format, and examine the outputted file.

In particular, ensure that the CRL distribution point is correct. Technically, the value listed in the CA cert might be ignored, but it will matter in issued certificates, and it's much easier to fix errors now -- just delete the root certificate and private key, change the relevant values in the configuration file, and create a new root certificate and key.

Create a DER Format Version of the CA Root Certificate

Install Certificate Windows 10

Windows doesn't understand PEM-formatted certificates, so we'll create a DER-formatted copy of the CA root certificate, and give it a Windows-friendly .cer extension.

Obtain Each User's User Principal Name (UPN) and the Domain Controller's GUID

Before you can issue certificates, you will need to obtain the 'User Principal Name' of each user that will be logging in via smart card, as well as the GUID of your domain controller.

I assume you have installed the Remote Server Administration Tools on a domain-joined Windows client machine - you'll need the included Active Directory Tools. If not, please go ahead and do so now. Then launch the Active Directory Services Interfaces Editor (listed as ADSI Edit in the Administrative Tools menu), while logged in as a domain Administrator.

Right-click on the 'ADSI Edit' in the upper left hand corner of the screen and select 'Connect To..'

The Connection Settings dialog box should appear. You should be able to just click OK.

Once a connection has been established, you can browse down the tree.

Get the Domain Controller's GUID

When you expand the 'Default naming context' and its child 'DC=greatlakes,DC=example,DC=com', you'll see a list of child nodes of items in Active Directory.

Select the child node called 'OU=Domain Controllers'. There should be one child: 'CN=NIAGRA'. Right click on that child and select 'Properties' from the pop-up menu.

The Attribute Editor appears. Scroll down until you find the entry for the attribute 'objectGUID', then click the 'View' button.

Make sure that the 'Value format' is set to Hexadecimal, then copy the value listed and save it somewhere.

Click OK to close the Attribute Editor dialog, then close the Attribute Editor window for the Niagra domain controller object.

Get Each User's UPN

A UserPrincipalName is a user's identifying name within the underlying Kerberos authentication. You will need a user's UPN so you can make a part of their login certificate, which will allow the Kerberos authentication logic on the Samba domain controller to map the certificate to an Active Directory user account.

A UPN is an attribute of a user object. In this test setup, all users are located in the 'People' Organizational Unit, so expand that node in ADSI Edit.

The user Tina Admin is in the 'ITAdmins' Organizational Unit, so expand that node, then right-click on the 'CN=Tina Admin' node, and select 'Properties' from the popup menu.

In the Attribute Editor dialog, scroll down to the attribute 'userPrincipalName' and copy down the value: '[email protected]' (While the UPN is usually the [email protected], it isn't always).

Repeat the procedure to obtain the UPN of Jerry User, who is located in the 'FieldReps' Organizational Unit.

Create a Certificate for the Domain Controller

Add the following section to the CA's OpenSSL configuration file (openssl.cnf), editing as indicated

The 'extendedKeyUsage' line consists of previously-defined aliases for object identifiers (OIDs). The serverAuth and clientAuth aliases are built-in to OpenSSL, while the 'msKDC' alias is defined in the 'new_oids' section at the top of the OpenSSL configuration file.

The 'subjectAltName' line is a list of alternative identifiers for the subject of the certificate. The contents are determined by the requirements that Microsoft has specified for Domain Controller certificates. In particular, Microsoft has required that a DC's certificate contain:

  • The DNS name of the domain controller, which in OpenSSL configuration files is DNS:XXXX, where XXXX is the DNS name of the system.
  • The GUID of the domain controller object in the directory, obtained earlier in this HOWTO. The 'otherName' identifier allows for an arbitrary identifier, consisting of an OID type and then a value. In this case, the identifier is of type 'msADGUID', an alias for an OID defined earlier in the configuration file (and taken from the MS support document referenced earlier); while the value is the domain controller's GUID in hex. The OCT means that the following value is an octet string. For more information, see http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html

Afterwards, replace the commented-out line in the OpenSSL configuration file

with this line, which tells OpenSSL to add the extensions listed in the 'usr_cert_mskdc' section to certificates it issues from the CA.

Save the configuration file and then use the following commands to create a request for, and then issue a signed certificate for the domain controller.

You will then be asked for some information about the certified entity. When it asks for the Common Name (CN) enter the DNS name of the server. You can leave the email address blank.

Now have the CA issue the certificate:

Enter the password for the CA root key, verify the information for the requested certificate. If it's correct, type 'y' to issue the certificate, and 'y' to commit it to the CA's internal database.

Your domain controller certificate is dc-cert.pem, with a private key stored in the private directory as dc-key.pem.

If you convert your domain controller certificate to DER format and open it on a Windows machine, you can verify that the subject alternative name contains an entry of type 'DS Object Guid', and a value of '04 10 [Domain Controller GUID]'. According to Microsoft's documentation, the 04 is the tag byte for an octet string, while the 10 is the length of the string (16 bytes).

Generate Certificates for Each User

Append the following to the OpenSSL configuration file of your CA, and edit the 'subjectAltName' line to include the UPN of one of your users.

For Tina Admin, the resulting line will be:

The 'msUPN' is another OID, this time indicating that the following value is a userPrincipalName.

The ExtendedKeyUsage 'scardLogin' is an alias for the OID By default, when Windows looks at all the certificates on a smart card, it only recognizes certificates with that EKU value as potential certificates for logging in. (You can, however, can change that by enabling the group policy setting ' Allow certificates with no extended key usage certificate attribute').

Finally, replace the line in the configuration file


and save the configuration file.

Execute the following command from the CA Base Directory to create a certificate request for Tina Admin:

Then provide the requested information. The key piece of information is the Common Name.

Then enter the following command to verify the certificate information, and have the CA sign the request and issue the certificate:

Convert the resulting CA certificate to DER format, and on Windows, you can open the DER-formatted certificate and verify that the UPN attribute is correct, and that the certificate has Smart Card Logon as an enhanced key usage:

Edit the OpenSSL configuration file for Jerry User, and then create his certificate.

Generate a CRL

In the CA Base Directory, create a CRL using the following command:

Generate a Diffie-Hellman Parameters File for the Domain Controller

In the CA Base Directory, create a DH parameters file for the domain controller by executing the following command. The parameters size must match that of the domain controller certificate. Feel free to add some random files to the mix.

This will probably take a while, so go out and get some fresh air. (If you decided that you had to have a 4096-bit certificate for your domain controller, good luck!)

Set up the CRL Distribution Point

Create a CNAME record for the CRL Distribution Point Location (Optional)

While this isn't strictly necessary, it will make it possible to move the CDP location at a later date, without having to change the information in any of the certificates. Obviously, you can only do this if you didn't pick a name that is already being used for other services.On the Samba domain controller, enter the command (substituting your domain information):

To verify that the record is working correctly, ping the new alias (e.g., crl.greatlakes.example.com) from both your Samba server and your Windows client.

Copy the CRL to the Distribution Location

In my sample domain, I installed the lighttpd web server on the domain controller. By default, its document root directory is /var/www. I've copied the CRL generated earlier to the document root directory, and given it the name 'greatlakes.crl' to match the name listed in each certificate as the CRL Distribution Point.

Verify that Windows Domain Clients Can Access the CRL Distribution Point

Verify that Windows machines in your domain can access the CRL at the correct location by entering the CRL distribution location listed in your certificates into Internet Explorer on a domain-joined Windows client. If successful, IE should ask whether to open or save the file, and if you click open, you should see a window containing information about the CRL.

Configure the Samba Domain Controller

Shut down Samba

Delete Samba-Generated Certificates and CA Files

In the tls subdirectory, there will already exist a ca certificate named ca.pem, and a domain controller certificate/private key pair named cert.pem and key.pem, respectively. Delete all three files (after backing them up somewhere).

Copy Necessary Files to the Samba Domain Controller

You'll need to have the following files on your DC. In this example, they will have the following names:

  • The Domain Controller certificate and private key (dc-cert.pem, dc-key.pem)
  • The Root CA certificate (but not the CA root key) (cacert.pem)
  • The CRL (ca.crl)
  • The Diffie-Hellman parameters file (dc-dhparams.pem)

Put each of these files, except the Domain Controller's private key, in the now-empty 'tls' sub-directory of your Samba domain controller's provision. Then, create a directory named 'secure' in the tls directory, and put the Domain Controller's private key in this newly-created 'secure' directory. Make sure that both the 'secure' folder and the Domain Controller's private key are only accessible to root (and the user that Samba is running as, if it is different).

The resulting directory/file structure is as follows:

Decrypt the Domain Controller Private Key

Samba can't read encrypted private key files, so you'll need to decrypt the domain controller's private key file and store it somewhere. For simplicity, I stored it in the same directory as the encrypted key, and named it dc-privkey.pem. You'll need to run this command as a user than can access the private key.

Again, make sure that only root (and the user account Samba is running as, if it is different) can access the private key file (whether encrypted or decrypted).

Modify Samba's Configuration File to Use Your PKI Infrastructure

Add the following lines to the global section of your smb.conf (adjust for your provision location):

Start Samba

Verify using the logs that there were no errors loading the certificate and associated files.

Shutdown Samba (Again)


Edit the Samba KDC Configuration File to Enable PKINIT Authentication

Open the Kerberos configuration file in your Samba provision, /usr/local/samba/private/krb5.conf, and edit it to look like the following (adjusted for your domain, of course). The first four lines should be identical to the contents of the existing contents of the krb5.conf file. (You can find out more regarding these settings here.)

Note: the dash in 'enable-pkinit' is not a typo.

Save the configuration file and close it.

Replace System Kerberos Configuration File with Symlink to Samba's Internal Kerberos Configuration File

Archive your existing system-wide Kerberos configuration file (typically /etc/krb5.conf) file and then replace it with a symlink to Samba's internal Kerberos configuration file.

Start Samba

Start the Samba DC again and ensure that it starts up cleanly.

Configure Windows to Accept Your CA

Add the Root CA certificate to the Trusted Root CAs for the Domain

Logon to a domain-joined Windows client as a domain administrator, and copy a DER-format copy of the CA root certificate to the Desktop. Give it the file name cacert.cer, then, open the Group Policy Management tool.

Expand the tree node labeled 'Forest: greatlakes.example.com,' then expand the child node labeled 'Domains,' and finally, expand the child node labeled 'greatlakes.example.com.'

Right click on the node labeled 'Default Domain Policy,' and select the top menu option, 'Edit..'

In the Group Policy Management Editor window that opens, expand the 'Policies' node under 'Computer Configuration', then expand the 'Windows Settings' node, then 'Security Settings', and then expand the node labeled 'Public Key Policies.'

Right click on the child node labeled 'Trusted Root Certification Authorities' and select 'Import..' from the popup menu. The 'Certificate Import Wizard' appears.

Installing Digital Certificate Windows 7

Click 'Next,' then enter the location of the root certificate file that you copied over earlier.

Click Next. The next page of the dialog box should present you with a non-choice - the certificate will be placed in the 'Trusted Root Certification Authorities' certificate store -- which is exactly what you want.

Click Next. The summary page should appear.

Click Finish, and if the certificate was successfully imported into the Default Domain Group Policy, you will see the message 'The import was successful.' Click OK. The root certificate should now appear under Trusted Root Certification Authorities in the Group Policy Management Editor.

Close the Group Policy Management Editor and the Group Policy Management window. Once domain clients update their group policy, they will trust your CA as a legitimate certificate authority.

Update Your Windows Client's Group Policy

One way to update group policy is to reboot. The other way is to open a command prompt with administrator privileges and execute the following command:

Windows should tell you that it has updated both Computer policy and User policy.

Verify that Your CA is Now a Trusted Root CA on the Windows Client

In a command prompt with administrative privileges, execute the following command to open the Microsoft Management Console (MMC):

In the window that opens, go to the File menu and select 'Add/Remove Snap-in..'

Select the 'Certificates' snap-in from the list on the left hand side of the dialog box and click 'Add', then choose 'Computer account' in the dialog box that appears, and click 'Next.' Select 'Local computer' in the next window, and click 'Finish.'

The right hand side of the 'Add or Remove Snap-ins' window should now have an entry 'Certificates (Local Computer)'. If so, click 'OK'.

In the middle pane, double click on the item labeled 'Certificates (Local Computer),' and then double-click on the 'Trusted Root Certification Authorities' item that appears in the middle pane.

Double click on the lone 'Certificates' item that now appears in the middle pane.

A list of certificates is displayed. Verify that your root certificate is among them.

Close the MMC window. You can safely select No when it asks you if you want to save.

Add the Root CA Certificate to the Domain's Enterprise NTAuth Store

We also need to add the root CA certificate to the domain's Enterprise NTAuth store, by following Method 2 listed here. Specifically, at a command prompt with administrative privileges, execute the following command:

If all goes well, you should see the following output:

Import User Certificate to Smart Card

Unfortunately, how one does this largely depends on the smart card hardware you're using and the infrastructure you're setting up. The myriad permutations and considerations go far beyond the scope of this document.

One way is to use Firefox's Certificates panel (located in the Options Window under Advanced-Encryption). Firefox can use a PKCS#11 library/driver for your particular smart card as a Security Device; when the module is loaded in the Security Device panel and you've logged into the smart card, you can use the Certificates panel to add or remove the certificates installed on the smart card. You'll need to have a PKCS#11 library/driver for your card, and you'll need to have your user certificates/private keys packaged into PKCS#12 files in order to have Firefox import them onto the smart card.

Sidebar: Getting a PKCS#12 Version of a User Certificate

Whatever the method, you will likely need to have a PKCS#12 file containing both your user's certificate private key in order to import them onto the smart card. You can do this with OpenSSL. The following command will create a PKCS#12 file for the Tina Admin user's certificate

You will prompted for a password three times. The first one is to decrypt the existing private key file. The second one is for a password to encrypt the private key when it is stored in the PKCS#12 file. The third one is to verify that you typed the second one correctly.

Log In!

At this point, if you log out from the domain-joined Windows client, and then insert the smart card with the user logon certificate installed on it, you should see a smart card icon on the Windows welcome screen. (You may have to press Escape and/or CTRL+ALT+DELETE a few times.)

Click on it, then enter the smartcard's PIN in the provided box.

Provided you entered the correct PIN, you should be logged in to the Windows client.

Additional Notes and Thoughts

Setting Up Additional Clients

After this procedure has been completed for the first time, other Windows clients in the same domain should work once they update group policy -- assuming they have the necessary smart card and smart card reader drivers installed. Clients joined to the domain at a later date will update group policy when they join the domain.

Adding New Smart Card Logon Users

To give another user the ability to login with a smart card, add the user to the directory, create a certificate for them (using their UPN), and put it on a smart card. The user will then be able to login to the domain with that smart card at properly set up workstations.

Pkcs#12 Digital Id File Vs Windows Certificate Store

Where Are My Certificates Stored

Open Certificate Store

Retrieved from 'https://wiki.samba.org/index.php?title=Samba_AD_Smart_Card_Login&oldid=13281'