Certreq error trying toestablish a cretifcate request
Spin
This should be so simple I feel like an idiot. I am trying to generate a
Certificate Signing Request (CSR) from my W2K3 domain controller using the
certreq command below.
certreq -new request.inf request.cer
The problem is how do I format the Request.inf file? Looking at KB321051
(http://support.microsoft.com/?kbid=321051). I am supposed to input the
FQDN of my domain controller and I did that but something else is still
wrong (and I can duplicate this on two different DCs in two completely
different forest domains). The DN of my domain controller is
"CN=EBIZ-GATE,OU=Domain Controllers,DC=ebiz,DC=local". Everything below is
in my Request.inf file. The error returned is: "Expected INF file section
name 0xe0000000 (INF: -536870912) request.inf". What am I doing wrong?
----------------- request.inf -----------------
[Version] Signature="$Windows NT
[NewRequest] Subject = "CN=EBIZ-GATE,OU=Domain Controllers,DC=ebiz,DC=local"
; replace with the FQDN of the DC KeySpec=1 KeyLength=1024
; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more
secure, but have
; a greater impact on performance. Exportable=TRUE
MachineKeySet=TRUE
SMIME=False
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0
[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
; this is for Server Authentication
-----------------------------------------------
--
Spin
Paul Adare
microsoft.public.security.crypto news group, Spin <Sp...@spin.com>
says...
> The problem is how do I format the Request.inf file? Looking at KB321051
> (http://support.microsoft.com/?kbid=321051). I am supposed to input the
> FQDN of my domain controller and I did that but something else is still
> wrong (and I can duplicate this on two different DCs in two completely
> different forest domains). The DN of my domain controller is
> "CN=EBIZ-GATE,OU=Domain Controllers,DC=ebiz,DC=local". Everything below is
> in my Request.inf file. The error returned is: "Expected INF file section
> name 0xe0000000 (INF: -536870912) request.inf". What am I doing wrong?
>
> ----------------- request.inf -----------------
>
> [Version] Signature="$Windows NT
>
> [NewRequest] Subject = "CN=EBIZ-GATE,OU=Domain Controllers,DC=ebiz,DC=local"
> ; replace with the FQDN of the DC
>
What you're doing wrong is not understanding what an FQDN is. FQDN
stands for Fully Qualified Domain Name, not Fully Qualified
Distinguished Name.
You need to use the machinename.domain.com format, not the LDAP format,
which is what you're attempting to use. So it should be:
Subject=ebiz-gate.ebiz.local
--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
Spin
news:MPG.1e6b4c6fd...@msnews.microsoft.com...
> What you're doing wrong is not understanding what an FQDN is. FQDN
> stands for Fully Qualified Domain Name, not Fully Qualified
> Distinguished Name.
>
> You need to use the machinename.domain.com format, not the LDAP format,
> which is what you're attempting to use. So it should be:
>
> Subject=ebiz-gate.ebiz.local
I changed that but am still getting the error. Questions:
1) Should this first line be in there or not:
----------------- request.inf -----------------
2) I am running Windows Server 2003. So is this line correct:
[Version] Signature="$Windows NT
3) My third line now looks like this. Is the format correct? (the FQDN
*is* now right)
[NewRequest] Subject=EBIZ-GATE.ebiz.local
4) On the fourth line, should it look like this:
; replace with the FQDN of the DC KeySpec=1 KeyLength=1024
or like this:
; replace with the FQDN of the DC
therefore leaving the fifth and sixth lines look like this:
KeySpec=1
KeyLength=1024
--
Spin
Paul Adare
says...
> [Version] Signature="$Windows NT
>
The lines with the square brackets need to be on their own lines. Same
with the line with Key=Value.
Spin
in the file?
--
Spin
"Paul Adare" <pad...@newsguy.com> wrote in message
news:MPG.1e6bbc41c...@msnews.microsoft.com...
Paul Adare
says...
> Does the line "----------------- request.inf -----------------" need to be
> in the file?
>
No.
Spin
[Version] Signature="$Windows NT
--
Spin
"Paul Adare" <pad...@newsguy.com> wrote in message
news:MPG.1e6bc2f96...@msnews.microsoft.com...
Paul Adare
says...
> And this line below, is correct, "as is"?
>
> [Version] Signature="$Windows NT
No, go back and reread what I've already posted.
--
Paul Adare - MVP Virtual Machines
![Brian Komar [MVP]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Brian Komar [MVP]
> And this line below, is correct, "as is"?
>
> [Version] Signature="$Windows NT
>
>
[Version]
Signature="$Windows NT"
There is never any additional content on a heading [title] line.
Brian
Spin
explained that! I am getting a little closer now. My new error is the
following:
Certificate Request Processor: The string contains an invalid X500 name
attribute key, oid, value or delimiter. 0x80092023 (-2146885597)
[RequestAttributes]
Here is my latest and greatest attempt at properly formatting a request.inf
file:
[Version]
Signature="$Windows NT
[NewRequest]
Subject = EBIZ-GATE.ebiz.local
; replace with the FQDN of the DC
KeySpec=1
KeyLength=1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable=TRUE
MachineKeySet=TRUE
SMIME=False
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
; this is for Server Authentication
--
Spin
"Brian Komar [MVP]" <bko...@nospam.identit.ca> wrote in message
news:MPG.1e6bc996a...@msnews.microsoft.com...
Spin
> No, go back and reread what I've already posted.
>
> --
> Paul Adare - MVP Virtual Machines
Thank you for your response. I wish the darn KB article would have
explained that! I am getting a little closer now. Paul could you assist me
just a little bit more please. My new error is the following:
Certificate Request Processor: The string contains an invalid X500 name
attribute key, oid, value or delimiter. 0x80092023 (-2146885597)
[RequestAttributes]
Here is my latest and greatest attempt at properly formatting a request.inf
file:
[Version]
Signature="$Windows NT
[NewRequest]
Subject = EBIZ-GATE.ebiz.local
; replace with the FQDN of the DC
KeySpec=1
KeyLength=1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable=TRUE
MachineKeySet=TRUE
SMIME=False
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
; this is for Server Authentication
--
Spin
Spin
Changed
Subject = EBIZ-GATE.ebiz.local
to read:
Subject CN=EBIZ-GATE.ebiz.local
All was well after that.
--
Spin
"Spin" <Sp...@spin.com> wrote in message
news:46ertmF...@individual.net...
Brian Komar [MVP]
> I figured it out!
>
> Changed
>
> Subject = EBIZ-GATE.ebiz.local
>
> to read:
>
> Subject CN=EBIZ-GATE.ebiz.local
>
> All was well after that.
>
>
name>
Brian
maxsim...@gmail.com
just in case someone else searches this thread i had the same problem but was solved differently
i was using a text editor (notepad++) to generate the .inf file
The encoding needs to be set to 'Encode in UTF-8 without BOM' then the same inf file was running ok.
i have noticed however that powershell seems to like ''Encode in UTF-8' Encoding (with BOM i suppose).
So just keep in mind if you are using a text editor your encoding can cause problems
Thanks
max