Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to request certificate and archive it with certreq for sombody

1,721 views
Skip to first unread message

Igor

unread,
Apr 13, 2007, 9:00:02 AM4/13/07
to
I'm able to request certificates for our users via certreq util. For all
requests I use certificate enrolment agent key for signing requests. It is
well documented. But I didn't find any documentation how to create request
for certificates which templates are configured to AutoArchive private key
(we used such for e-mail certificate). I tried some options but always
recieve an error about "missing a required private key". What options should
I use?

Martin Rublik

unread,
Apr 16, 2007, 2:46:50 AM4/16/07
to
Hi,

check out
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

you need to set PrivateKeyArchive=TRUE in your request file. Also you
need to specify the format as CMC (RequestType=CMC).

HTH

Martin

Igor

unread,
Apr 16, 2007, 5:08:05 AM4/16/07
to
Thanks Martin for your reply. I read this document, fixed my inf file and
reiceved new error

Error Cannot Archive Signing Key Key not valid for use in specified state.
0x8009000b (-2146893813)

And can not find any info. Any ideas? Here my INF file fore review

[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "E=blab...@blabla.com, CN=User1"
PrivateKeyArchive=TRUE
KeySpec = 2
KeyUsage = 0xa0
Providertype = 1
RequesterName = nana\nana
RequestType = CMC
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
KeyLength = 2048
[RequestAttributes]
CertificateTemplate = e-mail_script
SAN="email=blab...@blalba.com"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.4

Martin Rublik

unread,
Apr 17, 2007, 9:50:43 AM4/17/07
to
Hi,

as I see you are using the private key both for decryption and signing
which is not very good in general.

If you are archiving private key that is used for digital signatures you
cannot guarantee that the private key is under users sole possession.

In general, concepts regarding PKI and its implementation are very good
described in Brian Komar's book. If you are interested in PKI you should
definitely read it.

The trouble you have is caused by KeySpec=2 that specifies that private
key should be use for signing or encryption or both. You cannot archive
private key that is used for singing only (KeySpec=2) you need to change
it to KeySpec=1.

Here is my INF that worked. Just as a note - you don't need to specify
subject name and SAN, Active Directory can build it for you.

[Version]
Signature = "$Windows NT$"
[NewRequest]

PrivateKeyArchive=TRUE
KeySpec = 1


KeyUsage = 0xa0
Providertype = 1

RequestType = CMC
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
KeyLength = 2048

SMIME = TRUE
[RequestAttributes]
CertificateTemplate = email_test
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.4

I ran it this way:
certreq -new -f -config "CAServerName\CA Name" INFFile.inf Request.req
certreq -submit -config "CAServerName\CA Name" Request.req
Certificate.cer Chain.cer Full.cer
certreq -accept Full.cer

However I still think that you should not archive the private keys that
are used for signature and encryption. Best practice is to split the
purpose for signing and encryption certificates.

Regards

Martin

Igor

unread,
Apr 20, 2007, 11:08:00 AM4/20/07
to
Thanks a lot Martin!

I use SAN in inf because I create this certs for our employees by myself and
store it on usb tokens.
I agree with you and will think about spliting certificate usage.

Thanks again, it was realy helpful!

0 new messages