使用活动目录的Windows登录和S/MIME电子邮件加密

Compatible Nitrokeys

3A/C/Mini

Passkey

HSM 2

Pro 2

FIDO2

Storage 2

Start

U2F

active

inactive

inactive

active

inactive

active

active

inactive

请注意,这个驱动程序仍在开发/测试中。请告诉我们你的经验!请参阅我们的`联系页面 <https://www.nitrokey.com/contact>`__。

先决条件

This guide assumes that an Active Directory server with role Active Directory Certificate Services is installed and running on a server. These instructions are based on Nitrokey Storage 2 and Nitrokey Pro 2 only.

安装OpenPGP-CSP

This step is needed for clients to use the OpenPGP-CSP driver. Download and install the latest version of the installer file SetupOpenPGPCsp for your system architecture, for SetupOpenPGPCsp_x64.msi for 64-bit systems.

你可能想在服务器上也安装该驱动,以便能够在模板中强制使用该驱动(见下文)。

在服务器端创建证书模板

On Active Directory Server open certsrv.msc to manage your certificate templates. Right click on Certificate Templates and choose Manage.

img1

Now right click on Smartcard Logon template and click Duplicate, to create a new template on basis of this standard template. Rename template to OpenPGP Card Logon and Email or alike.

img2

Under Request Handling, you can choose the OpenPGP-CSP as the one and only Cryptography Service Provider (click the Button labeled CSPs…). For this to work, you need to install the driver on the server as well and you have to insert a Nitrokey beforehand. This is optional. You can let the user choose, which CSP to use.

img3
img4

For enabling S/MIME email encryption go to Subject name. Tick the checkbox E-Mail name (note: You must save the mail addresses of your users in the corresponding Active Directory field!).

img5

Then go to Extensions, there you edit the applications guideline and add Secure Email.

img6
img7

在客户(域成员)上申请证书

To request a certificate for a domain member, you have to open certmgr.msc. Right click on folder Personal -> Certificates and click All Tasks -> Request New Certificate and choose the template you created on the AD.

img8

如果你没有强制使用OpenPGP-CSP,你现在必须在这里选择它。

img9
img10

接下来你选择证书的认证槽。

You are now ready to logon on the computer with the Nitrokey instead of your password and you can use S/MIME email encryption/signing with the Nitrokey. The driver has to be installed on every computer you want to use the certificate on.

img11