It is possible to use Elliptic Curve Cryptography (ECC) when issuing certificates using the vSEC:CMS. The vSEC:CMS supports the following NIST curves:
Also, the smart card token used needs to support the generation and import of these NIST curves. Please refer to your smart card vendor documentation to determine if the smart card that you wish to use supports ECC with the NIST curves listed above.
In order to use ECC it will be necessary to configure the certificate template on the CA to use ECC. In this article we will describe how to configure a smart card logon certificate template for a Microsoft CA running on a Windows 2012 R2 server.
Configure ECC Support on MS CA
In this article, we will show how to configure a smart card logon template on a MS CA that can then be used by the vSEC:CMS to issue a Windows logon certificate to a smart card token for MS Windows logon.
Important: This section is an example only and should not be viewed as a definitive guideline for configuring your specific CA certificate templates.
Step 1 - Configure Certificate Template on CA
From the Certificate Template Console window for MS CA select the default Smartcard Logon template and right click and select Duplicate Template. From the Compatibility tab select the settings as below.
From the Request Handling tab select the settings as below.
From the Cryptography tab select the settings as below.
From the Issuance Requirements tab select the settings as below.
Save the template and issue the template through your CA as normal.
On the vSEC:CMS from the Options - Connections page select the Certificate Authorities template and click Edit. Click the Templates button and click Update to update the available certificate templates from the CA.
Step 2 - Configure Windows to Support ECC Certificate for Logon
By default, the ECC certificate won't be shown on the Windows login screen. It will be necessary to enable the group policy Allow ECC certificates to be used for logon and authentication . This can be enabled, for example, from the Local Group Policy Editor window. Navigate to Computer Configuration - Administrative Templates - Windows Components - Smart Card and double click Allow ECC certificates to be used for logon and authentication and select the Enabled option.
Step 3 - Configure Card Template
On the vSEC:CMS configure a card template to use the certificate template created in step 1 and issue a card as normal.