This page describes how to use ECC (elliptic curve cryptography) for Active Directory smart card logon. To follow this procedure, you need to have a read write smart card supported ECC curves. Only 3 curves are supported: [prime256v1, secp256r1, ansiX9p256r1], [prime384v1, secp384r1, ansiX9p384r1] and [prime521v1].
Part 1: Issue ECC certificate
Prepare an ECC certificate template
Open the certification authority console. Right click on Certificate Template and select Manage
Find the Smartcard logon template. Right click and select Duplicate Template.
In the general tab, select a new name, for example Smartcard Logon ECC. Go to the Cryptography tab and change the Algorithm name. Select for example ECDG_P256.
You can optionally change the request hash from SHA1 to SHA256.
Deploy the ECC certificate template
Right click on Certificate Templates and select New then Certificate Template to Issue.
Select the certificate template you just created.
Request an ECC certificate
Open the certificate console (certmgr.msc). Select the Personal store. Right click on it and select All Tasks then Request New Certificate.
Press OK on the dialog until you get to the template dialog. Select the template issued before (Smartcard Logon ECC) and press Properties.
Go to the Private Key tab and expand Cryptographic Service Provider. Select the Key Storage Provider associated to your smart card. Most of the time it is Microsoft Smart Card Key Storage Provider.
Validate and the certificate will be issued.
You can control it with the command “certutil -scinfo”
Part 2: Enable the certificate for ECC smart card logon
By default, the ECC certificate won’t be shown on the login screen. To change that, enable the group policy “Allow ECC certificates to be used for logon and authentication”.
It can be found in: Computer configuration -> Administrative templates -> Windows Components -> Smart Card.
As an alternative, it can be set with: HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!EnumerateECCCerts=