locked
problem with SSL clientAuth on Custom BaseCSP minidriver RRS feed

  • Question

  • Hi,

    I am trying to get Firefox and IE to perform TLS/SSL client Authentication with an embedded device using certificates and keys on a Smartcard. The Windows host is a Windows 7 box. There is no Domain Controller or other infrastructure.

    For Firefox I have written a pkcs11 DLL and it performs correctly. I have also written a baseCSP minidriver to perform the same action for IE (and Chrome), however it it not working correctly.

    On IE it gets to the point of asking the user to select the required certificate and then comes back with another dialog saying "Please Insert smart card" instead of asking the user for the PIN. The dialog provides the following detailed error:

    "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate."

    I have enabled the debug level on the CAPI2 module in Event Viewer and it shows that the X509 objects are correctly formed and that the "Build Chain" succeeded. It does not show any certificate errors etc..

    I have installed the top level CA certificates into the "Trusted Root Certification Authorities" area and the CA used for signing the certificates on the card into the "Intermediate Certification Authorities" area.

    The certmgr.msc tool shows that the certificate loaded from the card is valid and the chain is also valid.

    I have tested the minidriver with "certutil -scinfo" and it returns the following error:

    "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)"

    I have tried searching for a solution to the 0x800b0112 error, however all the solutions seem to imply that a domain controller is needed.

    1. Does anyone know why IE would be failing to start the SSL/TLS authentication?
    2. Does using a Smartcard for SSL/TLS clientAuth always require a Domain Controller?
    3. Does Windows really need to check the Client certificate before performing client Authentication? Firefox does not need to do this step.
    4. Can I enable more debug from BaseCSP/IE to see why it is failing?


    Mark Retallack

    Friday, October 10, 2014 11:17 AM

Answers

All replies