ECC Smart card logon

This page describes how to use ECC (elliptic curve cryptography) for Active Directory smart card logon. To follow this procedure, you need to have a read write smart card supported ECC curves. Only 3 curves are supported: [prime256v1, secp256r1, ansiX9p256r1], [prime384v1, secp384r1, ansiX9p384r1] and [prime521v1].

The following page has been written using an Smart card HSM and the OpenSC minidriver.

Part 1: Issue ECC certificate

Prepare an ECC certificate template

Open the certification authority console. Right click on Certificate Template and select Manage

ecc1

Find the Smartcard logon template. Right click and select Duplicate Template.

ecc2

In the general tab, select a new name, for example Smartcard Logon ECC. Go to the Cryptography tab and change the Algorithm name. Select for example ECDG_P256.

You can optionally change the request hash from SHA1 to SHA256.

ECC certificate template

Deploy the ECC certificate template

Right click on Certificate Templates and select New then Certificate Template to Issue.

Select the certificate template you just created.

ecc4

Request an ECC certificate

Open the certificate console (certmgr.msc). Select the Personal store. Right click on it and select All Tasks then Request New Certificate.

ecc51

Press OK on the dialog until you get to the template dialog. Select the template issued before (Smartcard Logon ECC) and press Properties.

request an ECC smart card logon certificate

Go to the Private Key tab and expand Cryptographic Service Provider. Select the Key Storage Provider associated to your smart card. Most of the time it is Microsoft Smart Card Key Storage Provider.

select the KSP for ECC certificate issuance

Validate and the certificate will be issued.

certificate for ECC smart card logon issued

You can control it with the command “certutil -scinfo”

Part 2: Enable the certificate for ECC smart card logon

By default, the ECC certificate won’t be shown on the login screen. To change that, enable the group policy “Allow ECC certificates to be used for logon and authentication”.

It can be found in: Computer configuration -> Administrative templates -> Windows Components -> Smart Card.

ecc gpo

As an alternative, it can be set with: HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!EnumerateECCCerts=