EIDAuthenticate, Tool for smart card logon

With open source EIDAuthenticate it is possible to use 2-factor authentication, smart card + PIN, to login to Windows. EIDAuthenticate is for Windows Vista & later on stand alone computer (computer not in domain, ie. no Active Directory in use).


What is needed

List of supported cards can be found on their web site. A more complete list with details, is also available.


  • Initialize the card. I used initialization script “small” which basically creates 3 PINs on the card: Basic, Signature and Management (SO). At this point, there is no certificates on the card yet.


  • At the end of the wizard, there is a test to verify if PIN works. After succesfull test, wizard ask if result can be send to online database.


  • Initialize the smart card with the card vendor’s tools (not with opensc).
  • The self signed Root certificate created by the wizard is visible in the Certificate Manager tool (certmgr.msc) in Windows 7. Look the certificates under tree branch “Trusted Root Certification Authorities\Certificates”.
  • Before logon attempt, one can view certification path via link “Certicate Details” (see first figure in this blog).
  • For troubleshooting, one can use EIDLogManagertool.


  • One can use card vendor’s tool, or opensc, to view the content of the smart card. The figure below shows the card vendor’s tool. The certificate on the card is for user “Lauri”, issued by “Lauri-PC”.


  • OpenSC and OpenSSL can be good tools to retrieve information from “common” smart cards. To extract the certificate out from the card, can be done in this case by command

pkcs15-tool –read-certificate 45 –output certificate.pem

  • and to extract issuer and subject out from the certificate, can be done by commad

openssl x509 -in certificate.pem -issuer -subject -noout

  • which is the same as subjectCN and issuerCN in figure above.
This entry was posted in Anvanced Tools, Recommended Free Tools, Tips. Bookmark the permalink.

Comments are closed.