Win2003 PKI : certreq.exe using 'special' subject fields
Kris
I have installed two Win2003 Standard edition servers. I use one as a
standalone root CA. The second is a standalone (no enterprise)
subordinate CA.
I can succesfully generate a certificate request with certreq.exe that
looks like this:
*Subject:*
-E=em...@domain.com
CN=Name
OU=Unit5
T=title
SN=123456
O=org
C=BE-
The certificate is send to the subordinate CA for signing. The
certificate is signed without errors. But when I view the certificate
the 'T' and 'SN' fields are not in the resulting certificate. And mu
subject looks like this:
*Subject:*
-E=em...@domain.com
CN=Name
OU=Unit5
O=org
C=BE-
Is there any way to change this behaviour? Does MS PKI only allow
certain fields? While 'T' and 'SN' are know fields in the certificate
world.
If I use 'S=123456' for instance I don't have any problems.
All feedback is very much appreciated.
Kris
--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=827315
Kris
So far, I have found out that the fields that 'work' are:
CN, OU, E ,O, L, S, C
But no other...
Martin Rublik
maybe this link is going to be useful
http://technet2.microsoft.com/windowsserver/en/library/7fe116af-971b-44d3-809e-00606c080a191033.mspx?mfr=true
check out the following
-SNIP-
SubjectTemplate
Registry Path
\CertSvc\Configuration\CAName\SubjectTemplate
Version
Windows Server 2003 and Windows 2000 Server
This setting contains an ordered list of the subject relative distinguished name
elements that are allowed in the Subject field of certificates issued by the CA.
This setting can only be set to a small, fixed list of relative distinguished
name elements supported by the CA. If during request processing a listed
relative distinguished name field is empty, or if the field is not populated by
the request Subject field or by the policy module, the element will not be
included. If the registry value is completely empty, the binary subject encoding
from the request is passed through to the issued certificate unmodified.
-SNIP-
Default setting is
EMail
CommonName
OrganizationalUnit
Organization
Locality
State
DomainComponent
Country
Which are those fields that 'work' in your case.
HTH
Martin
Brian Komar
I am not are of any formal listing that is public information.
Brian
"Kris" <Kris....@DoNotSpam.com> wrote in message
news:Kris....@DoNotSpam.com...
Kris
Thanks a lot Martin
That solution you provided works perfectly. I can now use T (title)
also.
I didn't see that website your referred too before, was quiet
helpfull.
I still have one problem that remains:
My sub ca does not add the Basiccontraint extension to the certificate.
Furthermore I also like to make it critical. While I can successfully
generate the request that contains these parameters:
c:\pki\test>certutil.exe -setextension 25 2.5.29.19 1 @bc.txt
0000 30 00 0.
certutil: -setextension command completed successfully.
The resulting certificate doesn't contain it.
I have also done the following but no change... Any idea's?
c:\pki\test>certutil -setreg policy\editflags
-editf_basicconstraintscritical
system\currentcontrolset\services\certsvc\configuration\kfbn-frnb
issuing ca class a\policymodules\certificate
authority_microsoftdefault.policy\editflags:
old value:
editflags reg_dword = 83e6 (33766)
editf_requestextensionlist -- 2
editf_disableextensionlist -- 4
editf_attributeenddate -- 20 (32)
editf_basicconstraintscritical -- 40 (64)
editf_basicconstraintsca -- 80 (128)
editf_enableakikeyid -- 100 (256)
editf_attributeca -- 200 (512)
editf_attributeeku -- 8000 (32768)
new value:
editflags reg_dword = 83a6 (33702)
editf_requestextensionlist -- 2
editf_disableextensionlist -- 4
editf_attributeenddate -- 20 (32)
editf_basicconstraintsca -- 80 (128)
editf_enableakikeyid -- 100 (256)
editf_attributeca -- 200 (512)
editf_attributeeku -- 8000 (32768)
Kris
--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816171
Luciano01
What was the CORRECT solution ????
I'm getting crazy...
Thanks
Luciano
Kris;3200911 Wrote:
> Thanks Paul; This was indeed the correct solution.
>
> Do you have any idea's about my other problem:
> http://forums.techarena.in/showthread.php?t=827315
>
> Regards
--
Luciano01
------------------------------------------------------------------------
Luciano01's Profile: http://forums.techarena.in/member.php?u=53203
Paul Adare - MVP
> What was the CORRECT solution ????
> I'm getting crazy...
You've replied to a really, really old thread which has scrolled off of my
server and have not detailed the problem.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
A computer program does what you tell it to do, not what you want it to do.
Luciano01
I apologize for being rude. I can't see much clear online documentation
on this issue.
The problem is exactly the same reported by Kris: I need to customize
the setup of a subordinate CA so that its certificate has a Key Usage
value of only 'Certificate Signing, Off-line CRL Signing, CRL Signing
(06)'. I successfully setup the Root CA editing the CAPolicy.inf file
with the lines
[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15
but the setup of the subordinate CA seems even more tricky.
I used the setreg command you mentioned (certutil -setreg
policy\EditFlags -EDITF_ADDOLDKEYUSAGE) on the Root CA before issuing
the certificate, but the request (just as in the case of Kris) reads
"Key Usage (Digital Signature,...)" and the CA root did not issue the
certificate I want. I certainly miss something, but what ?
Technet
(http://technet2.microsoft.com/windowsserver/en/library/f29fc69b-de1a-45ba-a0dd-a6b3d05137341033.mspx?mfr=true)
did not say much more. PLease help.
Both CAs are Windows 2003.
Thank you a lot in advance.
Luciano
Martin Rublik
just to be sure, you want to have the key usage on a subordinate ca defined only
for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06.
And you have edited the Root CA CAPolicy.inf? I think that this is the issue.
You need to edit the subordinate CA's CAPolicy.inf as this is the place where
you specify what kind of information will be present in the request for a
certificate.
You can verify if your's subordinate CA's certificate request contains the right
key usage using certutil -dump request.req commmand.
Regards
Martin
PS: please correct me if I wrote something wrong it's friday and I'm tired ...
Luciano01
Hi Martin,
exactly, I want (my boss wants) the key usage on a subordinate ca
defined only for Certificate Signing, Off-line CRL Signing, CRL Signing
- 0x06.
I understood that the CAPolicy.inf had to be edited only to setup the
ROOT CA, so there is no CAPolicy.inf on the wannabe subordinate CA. It
is very possible I misunderstood. If so, what my CAPolicy.inf look like
to reach that kind of CA certificate ?
My dumps all show the same frustrating values:
-----------------------------------------------
[...]
Request Attributes: 3
3 attributes:
Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2.Service Pack 2
Attribute[1]: 1.3.6.1.4.1.311.2.1.14 (Certificate Extensions)
Value[1][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing,
CRL Signin
g (86)
Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 5
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0
1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
Certificate Template Name
SubCA
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing,
CRL Signin
g (86)
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
[...]
-----------------------------------------------
Thank you so much for your reply and your help (it's 6pm here so I have
to rush away...)
Luciano
Martin Rublik
You need to change the CAPolicy.inf on the subordinate CA. CAPolicy.inf is used
during the enrollment process and the request and its contents depends on the file.
As the dump says:
Luciano01 wrote:
> 2.5.29.15: Flags = 0, Length = 4
> Key Usage
> Digital Signature, Certificate Signing, Off-line CRL Signing,
> CRL Signin
> g (86)
the request already contains key usage 0x86 described as above and the root CA
is issuing a certificate based on that request.
> I understood that the CAPolicy.inf had to be edited only to setup the
> ROOT CA, so there is no CAPolicy.inf on the wannabe subordinate CA. It
> is very possible I misunderstood. If so, what my CAPolicy.inf look like
> to reach that kind of CA certificate ?
CApolicy.inf file is used for customizing the paramaters of *any* (not only
root) CA certificate before it's certificate request is generated (either first
time or while renewing). It can also define other parameters of a CA prior its
installation.
The structure of CAPolicy.inf depends on the determined requirements regarding
the subordinate CAs certificate (e.g. key length, extended key usage,
information regarding CPS,...).
If you want some further reading I can recommend you the great book written by
Brian Komar "Windows Server 2008 PKI and Certificate Security".
If you want just the job done try following CAPolicy.inf on subordinate CA (Not
recommended. You should modify this CAPolicy.inf so it will fit your environment)
[Version]
Signature="$Windows NT"
[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15
Best regards
Martin
Luciano01
Hi Martin,
thank you so much for your answer. I did manage to create a request
that reads:
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
Now I have an error when trying to install the certificate and start
the service. I'll try to restart the whole procedure from the beginning
becouse I might have misconfigured something. Let you you know here
soon.
Thank you so much again by now.
Luciano
P.S. Don't know the policy of the community. I keep replying leaving
the whole message I reply to help understanding of the topic. In case
this is no good just say so.
Luciano01
I made it !
It's still a bit tricky because both Certification Services setup and
the certificate installation have to be done with an Enterprise Admin
accont. And still until you install the certificate the System event log
shows some DCOM error.
Thanks all for support. I'll keep following this forum and try to go
through the book Martin suggested before asking for help again.
Bye all
Luciano
Luciano01;3876937 Wrote:
> Hi Martin,
>
> thank you so much for your answer. I did manage to create a request
> that reads:
>
> 2.5.29.15: Flags = 1(Critical), Length = 4
> Key Usage
> Certificate Signing, Off-line CRL Signing, CRL Signing (06)
>
> Now I have an error when trying to install the certificate and start
> the service. I'll try to restart the whole procedure from the beginning
> becouse I might have misconfigured something. Let you you know here
> soon.
>
> Thank you so much again by now.
> Luciano
>
> P.S. Don't know the policy of the community. I keep replying leaving
> the whole message I reply to help understanding of the topic. In case
> this is no good just say so.
hvthang
Dear all,
I have a problem with PathLenConstraint value,
My subordinate CA has already setup, but when i check its certificate,
the PathLenConstraint value is none, so how can i change it to zero or
some thing different.
Thanks,
--
hvthang
------------------------------------------------------------------------
hvthang's Profile: http://forums.techarena.in/members/168825.htm
View this thread: http://forums.techarena.in/server-security/816171.htm