Certificate Requirements for Smart Card Logon

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Certificate requirements for Windows XP and earlier

The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems.

Component Requirement

CRL distribution point location

The location must be specified, online, and available. For example:

[1]CRL Distribution Point
Distribution Point Name:
Full Name:

Key usage

Digital signature

Basic constraints

[Subject Type=End Entity, Path Length Constraint=None] (Optional)

Enhanced key usage

  • Client Authentication (

    The client authentication object identifier is required only if a certificate is used for SSL authentication.

  • Smart Card Logon (

Subject alternative name

Other Name: Principal Name=(UPN). For example:


The UPN OtherName object identifier is

The UPN OtherName value must be an ASN1-encoded UTF8 string.


Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.

There are two predefined types of private keys. These keys are Signature Only (AT_SIGNATURE) and Key Exchange (AT_KEYEXCHANGE). Smart card logon certificates must have a Key Exchange (AT_KEYEXCHANGE) private key type.

Certificate requirements for Windows Vista and Windows 7

You can enable any certificate to be visible for the smart card credential provider.

Component Requirement


Not required


Not required

Key usage

Digital signature

Enhanced key usage (EKU)

The smart card logon object identifier is not required.

If an EKU is present, it must contain the smart card logon EKU. Certificates with no EKU can be used for logon.

Subject alternative name

E-mail ID is not required for smart card logon.

Key exchange (AT_KEYEXCHANGE field)

Not required for smart card logon certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.)