Apache + IE Smart Card Certificate Selection

boomzilla

@twelvebaud said in [WTF Bites](/post/
"And IE doesn't add a filter that says "Only show certs with 'Prove your identity to a remote computer' key usages" for some stupid reason."

That's demonstrably untrue. My Encryption certificate does not show up in the client certificate prompt since it doesn't have the right values in its Key Usage extension. My ID and Signature certificates do and they can both be used for client authentication (I misspoke earlier and said the KU extension needs Key Encipherment as well as Digital Signature; that's not true). I'm guessing IE is using CryptUIDlgSelectCertificate with a filter callback (but can't actually be arsed to find out).

Where are you seeing this sort of behavior? I'm trying to use my card to login to an apache server that we control. Is there some sort of hint that we could be sending that would clue in IE so that it knows what we're doing? Some parameter or configuration?

I'm basically an apache retard and my experience was mostly flailing around by trial and error to connect the documentation to the results I was seeing and what I wanted.

heterodox

@boomzilla From my empirical observation, this has been the behavior of IE for as long as it's supported client certificate authentication.

My understanding of the filtering rules on a certificate (based on years of reading standards, trial/error) are as follows:

If the server has sent a list of CAs, the issuer must be one of those CAs
If the KeyUsage extension is present, it must include digitalSignature
If the ExtendedKeyUsage extension is present, it must include id-kp-clientAuth

Maybe I'll dump the current filtering rules sometime over the next couple days. This is one of my SME areas, so it'd be nice to ensure I have an accurate answer and that IE's implementation matches my theories.