If PKI credentials are used to encrypt SecureLogin data with the passphrase security system off (set to No), you should consider implementing a key archive/backup and recovery. If key archive/backup and recovery is not implemented and the passphrases security system is not enabled, the users can never decrypt their SecureLogin data if they lose their smart card because the private key is stored on the lost smart card.
Without private key recovery, you have to clear the user's SecureLogin data store before they can use SecureLogin again. This is a high security solution but is inconvenient to end users as they cannot access SecureLogin without the smart card.
When a smart card is configured to use PKI credentials to encrypt single sign-on data, SecureLogin retrieves the serial number of the current certificate and locates the certificate in the certificate store as specified in the relevant SecureLogin preferences. SecureLogin then loads the associated private key and attempts to decrypt the user key with the private key.
If the decryption fails or the certificate is not located, a smart card is present, and a certificate that matches the selection criteria is not located, then SecureLogin assumes that a recovered smart card is in use. It then attempts to decrypt the user key with each key pair stored on the card.
IMPORTANT:If you are using PKI encryption and the certificate selection criteria depends on the certificate's friendly name, you will need to disable Microsoft certificate propagation.
Because the windows certificate propogation method does not propagate the certificate friendly name, you cannot successfully start SecureLogin.
To disable the Microsoft certificate propogation, set the registry key value to 0.
On the Windows Start menu, click Start > Run to display the Run dialog box.
Type regedit then click OK to open the Registry Editor.
Browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
Create a DWORD Value named Enabled.
Set the value of the DWORD to 0.
Exit the Registry Editor.
The Certificate Selection Criteria preference allows you to select an encryption or authentication certificate to encrypt the user's single sign-on information in the directory.
The certificate selection criteria determines which certificate to select if multiple certificates are in use (for example, if an enterprise has configured an Entrust certificate for single sign-on encryption and a Microsoft certificate for login and or, authentication).
If only one certificate is used, the field is blank and the certificate is detected automatically and set to User Certificate. When entering certificate selection criteria, no special formatting is required and the search string is not case sensitive. Wildcards are not used and a search matches if the search text is a substring of the certificate subject field. SecureLogin attempts to match against certificate subject, issuer, and friendly name in the following order:
Certificate Subject
Certificate Issuer
Friendly Name
Example 8-1 For example if the subject is
CN=Writer,OU=Users,OU=Accounts,OU=APAC,DC=Novell,DC=Int
Then Writer is a valid search value, as are Accounts, APAC, and Int. The prefixes CN=, OU=, or DC= are not required.
Similarly, if the Certificate Issuer is
CN=IssuingCA1,OU=AD,DC=undiscovered,DC=com
Then IssuingCA1 is a valid search value, as are AD, undiscovered, and com.
This preference displays the certificate that is currently being used by SecureLogin to encrypt a user's single sign-on data.