I have a project that is a website authenticated with a smart card (DoD CAC). I need to make multiple test certificates that the site can use for client authenticating the session. It seems possible to have a non-smartcard-based certificate that a user can choose for client authentication.
I feel comfortable saying this because when I hit my dev site on my MacBook, it shows me 2 Apple certificates. Those won't work because our authentication process requires a short sequence of numbers at the end of the common name.
I have tried SO many different things, I simply cannot create a certificate that presents along with my DoD CAC certs when hitting the site. In the certificate manager the Mac certificate, the DoC CACs and my test certs are showing "Client Authentication" in the Intended Purposes field. I also have the self-signed cert that I used as the CA for my test cert in trusted roots.
The DoD certs have "Smart Card Logon" and "Client Authentication" in the Intended Purposes field. I can only specify 1 eku when using makecert.exe, so I can make the certificate with a "Client Authentication" or "Smart Card Logon" value, but not both. It would seem logical that I only need the certificate to be set with "Client Authentication".
Next I'm going to try using certreq, read something that implied I can set multiple values for intended purposes with it.
How can I make my own client authentication certificate that the website will let me choose?
