[Samba] Certificates for Smartscard-Login: "oid exists"-error

samba at 0111.ch samba at 0111.ch
Mon Dec 7 14:13:06 UTC 2020 

Hello There, 

I am currently trying to create certificates, which will be used for logins via smartcard and I'm following his guide: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login

When creating the certificates, I'll get this error: 

problem creating object scardLogin=1.3.6.1.4.1.311.20.2.2
140074235937920:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709:

When I comment out the line "scardLogin=1.3.6.1.4.1.311.20.2.2". it'll throw an error for the next OID. When I comment out all new OIDs, I can create the ca-certificate. Server certificates, too, but they miss an OID. I did not yet try to create user certificates, because this way they would miss the OIDs.


Here my openssl.conf:

```
#
# Based on the OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

CRLDISTPT       = http://crl.example.com/example.crl

# Extra OBJECT IDENTIFIER info:
oid_section     = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
scardLogin = 1.3.6.1.4.1.311.20.2.2
# Used in a smart card login certificate's subject alternative name
msUPN=1.3.6.1.4.1.311.20.2.3
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
msKDC=1.3.6.1.5.2.3.5
# Identifies the AD GUID
msADGUID=1.3.6.1.4.1.311.25.1


####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir         = .                 # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl          # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
unique_subject  = yes           # Set to 'no' to allow creation of
                                # several certificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                                # must be commented out to leave a V1 CRL

crl         = $dir/ca-crl.pem           # The current CRL
private_key = $dir/private/cakey.pem    # The private key
RANDFILE    = $dir/private/.rand        # private random number file

x509_extensions    = usr_cert_mskdc  # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions  = crl_ext

default_days    = 1095           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = sha256            # use public key default MD
preserve    = no                # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match

# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = match
stateOrProvinceName = match
localityName        = match
organizationName    = match
organizationalUnitName  = match
commonName      = supplied
emailAddress        = supplied

####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CH
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = STATE

localityName            = Locality Name (eg, city)
localityName_default    = CITY

organizationName        = Organization Name (eg, company)
organizationName_default    = Example inc.

#organizationalUnitName      = Organizational Unit Name (eg, section)

commonName          = Common Name (eg, YOUR name)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_max        = 64

# SET-ex3           = SET extension number 3

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

#unstructuredName        = An optional company name

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. 
keyUsage = cRLSign, keyCertSign

crlDistributionPoints=URI:$CRLDISTPT

# Some might want this also
nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always


[ usr_cert_mskdc ]

# These extensions are added when 'ca' signs a request for a domain controller certificate.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE
crlDistributionPoints=URI:$CRLDISTPT

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
nsCertType          = server

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment           = "Domain Controller Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.

subjectAltName=@dc_subjalt

# Copy subject details
issuerAltName=issuer:copy

nsCaRevocationUrl       = $CRLDISTPT
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

#Extended Key requirements for our domain controller certs
# serverAuth - says cert can be used to identify an ssl/tls server
# msKDC - says cert can be used to identify a Kerberos Domain Controller.
extendedKeyUsage = clientAuth,serverAuth,msKDC

[dc_subjalt]
DNS=DC1.int.example.com
otherName=msADGUID;FORMAT:HEX,OCTETSTRING:464A3A73D50257419A6D1438AA584EF3


```

OpenSSL is installed in version 1.1.1

I think a workaround might be to use the OID directly instead of the variable, but I hope someone has an idea how to do it with the names.

Regards, Alain

More information about the samba mailing list