How can we help?

Using Elliptic Curve Cryptography

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It is possible to use Elliptic Curve Cryptography (ECC) when issuing certificates using vSEC:CMS. vSEC:CMS supports the following NIST curves:

  • P256;
  • P384;
  • P521.

Also, the credential used needs to support the generation and import of these NIST curves. Please refer to your credential vendor documentation to determine if the credential that you wish to use supports ECC with the NIST curves listed above.

In order to use ECC it will be necessary to configure the certificate template on the CA to use ECC. In this article we will describe how to configure a credential logon certificate template for a Microsoft CA.

Configure ECC Support on MS CA

In this article, we will show how to configure a credential logon template on a MS CA that can then be used by vSEC:CMS to issue a Windows logon certificate to a credential for MS Windows logon.

Important
This section is an example only and should not be viewed as a definitive guideline for configuring your specific CA certificate templates.

Step 1 – Configure Certificate Template on CA

From the Certificate Template Console window for MS CA select the default Smartcard Logon template and right click and select Duplicate Template. From the Compatibility tab select the settings as below.

From the Request Handling tab select the settings as below.

From the Cryptography tab select the settings as below.

From the Issuance Requirements tab select the settings as below.

Save the template and issue the template through your CA as normal.

On the vSEC:CMS console from the Options – Connections page, select the Certificate Authorities template and click Edit. Click the Templates button and click Update to update the available certificate templates from the CA.

Step 2 – Configure Windows to Support ECC Certificate for Logon

By default, the ECC certificate won’t be shown on the Windows login screen. It will be necessary to enable the group policy Allow ECC certificates to be used for logon and authentication. This can be enabled, for example, from the Local Group Policy Editor window. Navigate to Computer Configuration - Administrative Templates - Windows Components - Smart Card and double click Allow ECC certificates to be used for logon and authentication and select the Enabled option.

Step 3 – Configure Card Template

On the vSEC:CMS configure a card template to use the certificate template created in step 1 and issue a card as normal.