locked
Problem with SSL clientAuth on Custom BaseCSP minidriver RRS feed

  • Question

  • I am trying to get Firefox and IE to perform TLS/SSL client Authentication with an embedded device using certificates and keys on a Smartcard. The Windows host is a Windows 7 box. There is no Domain Controller or other infrastructure.

    For Firefox I have written a pkcs11 DLL and it performs correctly. I have also written a baseCSP minidriver to perform the same action for IE (and Chrome), however it it not working correctly.

    On IE it gets to the point of asking the user to select the required certificate and then comes back with another dialog saying "Please Insert smart card" instead of asking the user for the PIN. The dialog provides the following detailed error:

    "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate."

    I have enabled the debug level on the CAPI2 module in Event Viewer and it shows that the X509 objects are correctly formed and that the "Build Chain" succeeded. It does not show any certificate errors etc..

    I have installed the top level CA certificates into the "Trusted Root Certification Authorities" area and the CA used for signing the certificates on the card into the "Intermediate Certification Authorities" area.

    The certmgr.msc tool shows that the certificate loaded from the card is valid and the chain is also valid.

    I have tested the minidriver with "certutil -scinfo" and it returns the following error:

    "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)"

    I have tried searching for a solution to the 0x800b0112 error, however all the solutions seem to imply that a domain controller is needed.

    1. Does anyone know why IE would be failing to start the SSL/TLS authentication?
    2. Does using a Smartcard for SSL/TLS clientAuth always require a Domain Controller?
    3. Does Windows really need to check the Client certificate before performing client Authentication? Firefox does not need to do this step.
    4. Can I enable more debug from BaseCSP/IE to see why it is failing?


    Mark Retallack
    Friday, October 10, 2014 11:51 AM

Answers

  • I think I have now fixed this, it looks like the CSP base needs the 32bit and 64bit DLL installed at the same time? I have just creating the 32bit version. Not sure why the 32bit one was needed when using the 64bit version of IE.

    UPDATE: it appears that although I am using the 64bit version of IE, for loading the smartcard BASE CSP, IE uses the 32bit version. So Always needs to support 32 and 64 bit versions. Chrome seems to use the 64 bit version.

    Monday, October 13, 2014 12:36 PM

All replies

  • After a bit more investigation I have managed to solve the "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)" issue. I needed to add the intermediate CA to the enterprise store:

    Certutil -enterprise -addstore -f NTAuth stc-client-ca.der

    It now leaves the following error:

    "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate"


    Monday, October 13, 2014 7:26 AM
  • I think I have now fixed this, it looks like the CSP base needs the 32bit and 64bit DLL installed at the same time? I have just creating the 32bit version. Not sure why the 32bit one was needed when using the 64bit version of IE.

    UPDATE: it appears that although I am using the 64bit version of IE, for loading the smartcard BASE CSP, IE uses the 32bit version. So Always needs to support 32 and 64 bit versions. Chrome seems to use the 64 bit version.

    Monday, October 13, 2014 12:36 PM