Share via

Certificate based smart card logon to Windows 10/11 with FIPS certified smart card

Anonymous
2024-02-20T07:49:12+00:00

Latest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 (Windows 10/11 has been on-prem Domain joined and has smart card logon certificate provisioned), the logon process will fail because the kerberos/PKINIT always uses SHA-1, even though I changed CSP/Minidriver to report only SHA256/384/512 algorithm support list to Windows, and I changed according to https://www.anoopcnair.com/configure-hash-algorithms-for-certificate-logon/ to disable SHA-1. I logged the process of lsass.exe calling CSP/Minidriver, it will create SHA-1 hash and then sign the SHA-1 digest later.

So how to use FIPS certified smart card (without SHA-1) to logon to windows 10/11?

***Moved from Windows / Windows 10 / Windows Hello, lock screen and sign-in***

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-22T08:53:18+00:00

    Hello Geoffrey150,

    Thank you for posting on the Microsoft Community Forum.

    Based on your description, to fix this, you can try installing the latest Windows update by going to Start > Settings > Update & Security > Windows Update, and then selecting Check for updates. If updates are available, install them.

    You can check the hash algorithm of the existing certificate within smart card.

    If it is SHA1, you can change existing SHA-1 certificate within Smart card to SHA-2, did you have your internal CA server with AD CS? If so, you should migrate root certificate and issuing CA certificate from SHA1 to SHA256, then reenroll such a SHA 256 certificate again using the renewed issuing CA SHA256 certificate, and install this new certificate into Smart card.

    I hope you the information above is helpful.

    If you have any questions or concerns, please do not hesitate to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-02-22T10:10:14+00:00

    Hi Zhou,

    Thank you very much for your response.

    I have already migrated my Root CA and smart card certificate to use SHA256, and my Windows 10/11 are latest version. But the Kerberos/PKINIT still use SHA1 instead of SHA2.

    From version 8 to version 16 of https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pkca/d0cf1763-3541-4008-a75f-a577fa5e8c5b we can find that SHA1 can be used with ECC and RSA, but SHA2 can only be used with ECC. Does that mean we should use ECC certificate?

    Best Regards,

    Geoffrey

    0 comments