InfoCard authentication with a smartcard as authentication mechanism problem

Hello,

I have been worked for many months with InfoCards, CardSpace and many STS. In this time I’ve tryed successfully all authentication methods available except the SmartCard Certificate with a special provider (I’ve tested SmartCard Auth with other providers successfully).

Well, I have tryed to create a card with a Certificate authentication that comes from Spanish National Electronic Identity Document (DNIe). This SmartCard contains two certificates, one for authentication and another one for sign. The card that I create has the public auth certificate associated and when is used on CardSpace client it prompts for the correct SmartCard. The problem comes when the card is inserted that the client shows an error claiming that is impossible to find the certificate.

I have been searching in the whole forum and I found many similar problems but not this kind. I know that the certificate MUST be into the Personal Store but also it MUST be into Personal > Registry > Certificates store of the UserCertificates. The problem comes because the DNIe SmartCard places its certificates into Personal > PersonalDNI electrónico > Certificates and CardSpace client is unable to locate them.

If the certificates are moved (or copyed) from Personal > PersonalDNI electrónico > Certificates to Personal > Registry > Certificates it works like a charm but without this it doesn’t.

There is any way to add a personal store to cardspace? I understand that CardSpace client should be able to search certificates into the whole directory tree under Personal dir, shouldn’t it?

Thanks for the replies 🙂

David Campos
Safelayer Secure Communication S.A.
Spain

Hi David,        Your observation regarding how CardSpace searches for certificates in the Personal store is correct. It only looks at the root of the Personal store and does not search through sub directories. It is a limitation of CardSpace behavior, as there was not data at the time of implementation to suggest certificates will be placed in sub directories as well.        Can you please help us understand a) the specific reason your customer places certificates in a sub directory under the personal store b) any reason why the certificates will no be placed in the “Trusted Root” as opposed to “Personal”?         For the next version of CardSpace, the product team is collecting data to understand whether support for “Personal Store” should be continued moving forward, and why Trusted Root is not a good enough location. So any data that you provide, based on interactions with your customers, will really help us.Thanks for your help.

Hello Anand and thanks for your reply.I’ve been talking with our customer about the reason that made them choose to use a sub directory different than the base one. They told me that the developers of the Cryptographic Service Provider that allows the system to access the card had probably choosen to use an independent directory under the Personal store because it made the development easier on some scenarios. For example, when the card is extracted from the card reader, the certificate delete operation is easier when the CSP knows that it only should manage its own directory and can do an easier clean up without deleting other certificates.Also we have been trying many other certificates provided by other entities. The results don’t follow any special pattern and many also use their own directory. They only follow the rule that the directory is ALWAYS under Personal Store.As other Windows applications (like IE) are able to search for certificates in other subfolders under Personal Store, do you know if CardSpace will shortly be modified in order to do the same, too? What do you mean in question b by “Trusted Root” and “Personal”? The root CA Certificate, and also Subordinates’, are never placed under different stores than the usual ones.Regards,David CamposSafelayer Secure Communications S.A.Spain

Hi David,Just wanted to clarify the sub-directory scenario. Can you give a screen-shot of the folder hierarchy in “certmgr.msc”. Thanks,Rakesh