Autoload Certs loads too many certs

[opoplawski]

We have users with lots of different certificates (multiple YubiKeys, VPN certs, etc.). It's nearly impossible for users to determine which certificate to add to pageant/putty, and "Autoload Certs" loads all of the available certs which leads to errors like:

The smart card cannot perform the requested operation or the operation requires a different smart card.

We need a way to load just the certificate for the current user from the connected smart card.

[NoMoreFood]

The CAPI part of PuTTY-CAC actually knows nothing about smartcards. Windows takes care of the smartcard interactions as part of utilizing the private key. The I think the most I'd be willing to do here is provide a registry key that could be set such that only certificates of a particular type are displayed (e.g. those marked as being as used for smartcard logon). We actually already do this to some degree to limit the display of certificates to those with enhanced key usage marked for 'Client Authentication'. Thoughts?

[opoplawski]

I think PuTTY-CAC really needs to interact with the smart card. This is what ssh-agent does on Linux via opensc-pkcs11.so. As it stands I'm presented with a list of 5 certificates, two of which are present on the card. If others are selected I get the error above. This really isn't workable as it stands.

[NoMoreFood]

It works for thousands of people as it stands. You may want to consider cleaning up your certificate stores. CAPI can also hit tokens that don’t go through the smart card device functions so I’m not going to add a feature that could limit functionality.

How about my idea? Are the certificates of interest marked for Smard Card Logon explicitly?

[NoMoreFood]

The next release (available in the next few weeks) will provide an option to screen out expired and/or certificates that are not marked explicitly for smartcard logon

[opoplawski]

This is becoming an absolute nightmare for us. We have people with multiple smart-card and multiple identities and it's really hard to get pageant to load the proper certificate. I wish I had time to look into adding the proper functionality to pull the cert from the inserted smart card, but I don't at the moment :(.