Hi Samba users ! Working in healthcare, our medical users have a personnal smart card given by authorities. My goal is to manage a central authentication method based on SSmart Card and our existing Samba4. I would love to use Samba4 as DC and PKI server to authenticate our users with this smart card. I worked hard with this doc : https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login but failed when the CA nees to issue de certificate. I guess that errors are about extra oids, and/or the section added as "subjectAltName". Do you think that there is a straightforward way to implement this kind of configuration ? Maybe a fresher doc ? For the most technical of you, our OpenSSL version is 1.1.1d on Debian 10 and here is the output : Error Loading extension section usr_cert_mskdc 140201503388800:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=email_in_dn 140201503388800:error:0E06D06C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:273:group=CA_default name=rand_serial 140201503388800:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:73: 140201503388800:error:2206706E:X509 V3 routines:v2i_EXTENDED_KEY_USAGE:invalid object identifier:../crypto/x509v3/v3_extku.c:96:section:<NULL>,name:msKDC,value:<NULL> 140201503388800:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value=clientAuth, serverAuth, msKDC Thanks a lot and long life to this list. -- OB