Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CertReq -Submit : Cannot add Subjet Alternative Name

3,320 views
Skip to first unread message

Shaun Ryan

unread,
Sep 27, 2004, 5:54:26 AM9/27/04
to
Hi all,

I am using VBScript with the CertReq command to generate a large amount of
certificates for 802.1X using "non-domain" clients (also includes Linux).
Note: Linux requires User Certs and a third party app called MeetingHouse.

Essentially, before I get into the details, when i submit a request to the
CA, I cannot seem to embed a Subject Alternative Name from the
[RequestAttributes] section of the INF file. For machine certs, this needs
to be the dnsHostName and for User certs this needs to be the UPN.

OK, this is how my scripts works. There are three steps:
1. It generates an INF file - here is an example for a either a User or
Machine cert

[Version]
Signature = "$Windows NT$"

[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
KeyUsage = 0xa0
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
Silent = True
Subject = "CN=User1 or Machine1,OU=PKITest,DC=pki,DC=test"
UseExistingKeySet = FALSE
UserProtected = FALSE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2

[RequestAttributes]
CertificateTemplate = PKITest
SAN="upn=us...@pki.test"
OR for machine-based auth
SAN="dns=machine1.pki.test"

2. Submits the INF file to CertReq -New to create a REQ file - this works
3. Submits the REQ file to CertReq -Submit to generate the Cert - this works
HOWEVER, the Subject Alternative Name is missing from the CERT.

Note: i do not embed any of the above settings in the certreq commands
directly as this is the purpose of the INF file.

The certificate template I have configured is set to allow the information
to be supplied; i.e., it does not build it from AD. I need to do this to
enable the creation of a certificate outside of the context of the user
executing the script. Otherwise, it will generate the cert as the
administrator on the CA.

If anyone can please help, i would GREATLY appreciate it! :)
Thanks in advance, Shaun.


David Cross [MS]

unread,
Sep 27, 2004, 8:23:38 AM9/27/04
to
This whitepaper should help you, let us know if you have further questions:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

you syntax at first glance is OK, but you must be missing a setp, etc on the
CA. what is the error you are receiving on the CA?

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Shaun Ryan" <msfo...@email.shaunryan.com> wrote in message
news:%23a97wjH...@TK2MSFTNGP09.phx.gbl...

Shaun Ryan

unread,
Sep 27, 2004, 8:58:33 AM9/27/04
to
Hi David,

I have been using that whitepaper extensively and I cannot for the life of
me see any syntax issues.

I actually do not receive an error. The certificate is issue perfectly fine;
however, the certificate is missing the Subject Alternative Name field (it
should be there and populated by the SAN field in the INF file). It seems
that the SAN line in the [RequestAttributes] section is completely omitted.

This behaviour is the same on different infrastructures (e.g., my VPC set
up, actual lab setup etc.) We are also using W2K3 EE and it is a v2 cert.

Thanks
Shaun.

>>
"David Cross [MS]" <dcr...@online.microsoft.com> wrote in message
news:e3N3NzIp...@TK2MSFTNGP15.phx.gbl...

Vishal Agarwal[MSFT]

unread,
Sep 27, 2004, 12:42:57 PM9/27/04
to
Are you sure you executed the command "CERTUTIL -setreg policy\EditFlags
+EDITF_ATTRIBUTESUBJECTALTNAME2" on the CA machine and restarted the
service?

Also, can you please dump out the request you created (certutil <request
file>)?

Thanks,
Vishal Agarwal [MSFT]


--
This posting is provided "AS IS" with no warranties, and confers no rights

"Shaun Ryan" <msfo...@email.shaunryan.com> wrote in message

news:eZfN%23GJpE...@TK2MSFTNGP14.phx.gbl...

Shaun Ryan

unread,
Sep 28, 2004, 5:51:34 AM9/28/04
to
Hi Vishal,

That reg key did not work. Let me provide a little more information as well.
I have just rebuilt another Virtual PC. Here are the stats:

- W2K3 EE with Ent Root CA
- Domain is called pki.test (PKITEST) - W2K3 Domain and Forest functional
level
- Logged on as Administrator
- Duplicated the Wkstn Auth template (i.e., client authentication) and
modifed the template so that the Subject Name is set to "Supply in the
request" as opposed to build from Active Directory. I also added a group to
Security with Read/Enroll rights.
- Created a machine account called Mandrake1 and added that to the security
group with enroll priveleges above
- Gave the Mandrake1 machine account a dNSHostName of mandrake1.pki.test
through ADSIEdit as this machine will never be part of the domain and won't
update the dNSHostName attribute itself.
- Entered the regkey you specified below and restarted Certificate Services.
- Generated the following INF file:

[Version]
Signature = "$Windows NT$"

[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
KeyUsage = 0xa0
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
Silent = True

Subject = "CN=Mandrake1,OU=Machine,OU=CADebug,DC=pki,DC=test"


UseExistingKeySet = FALSE
UserProtected = FALSE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2

[RequestAttributes]
SAN="dns=mandrake1.pki.test"
CertificateTemplate = MCLAMachineFOS

- Executed the CertReq -new command and specified this INF file. Here is the
resultant Request file:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEATCCA2oCAQAwYzEUMBIGCgmSJomT8ixkARkWBHRlc3QxEzARBgoJkiaJk/Is
ZAEZFgNwa2kxEDAOBgNVBAsTB0NBRGVidWcxEDAOBgNVBAsTB01hY2hpbmUxEjAQ
BgNVBAMTCU1hbmRyYWtlMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwlR6
UT4gxFjzlp5gKAS5CqLvoYLkoCPUSBRFk0cfwCZ5NB784mlJm2Z22lQyZDq3D86/
+41FVTcLWbJygh1X0ZhPnW7wruJV5RWbRgNhClnb+66xezbRRpacHaAbFSXoB1aD
U4OHHRqq/AaykV5Uj04LUBqs0GY+uylWXwcT9h8CAwEAAaCCAlwwGgYKKwYBBAGC
Nw0CAzEMFgo1LjIuMzc5MC4yMEgGCSsGAQQBgjcVFDE7MDkCAQEMFFcySzNTWVNQ
UkVQLnBraS50ZXN0DBVQS0lURVNUXEFkbWluaXN0cmF0b3IMB0NlcnRSZXEwgfMG
CSqGSIb3DQEJDjGB5TCB4jBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIA
gDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE
FKbBCsiHj4084JwHpmtdss11qovbMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH
AwIwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIgq/FOYOttQ/Fmw3v5HeF3qV+
gVSGtYJPh9iuUQIBZAIBATATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
BaAwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAg
AFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABo
AGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GBAKJn/sWKbhQ/6aLf
JZ4YjS3HgBGWy9K2xYYmSLy8k3IPkjct9+FS8O698gWQfUo1Ou3LpTgoB1gxAk23
ldTZ4zk0flX91Pzf50hgcOVS8AYDBzCaTKwfSwWOX6RIbYmOQWBFeodUxQuuq6tR
t8kRHvUV4uuMsZUh+mvEF452767x
-----END NEW CERTIFICATE REQUEST-----

- Then executed CertReq -submit with NO flags and it issues a certificate
correctly to Mandrake1 (requested by Administrator). However, it DOES NOT
include the SAN as a field.

NOTE: if I perform the above process with a user acconut and a user
certificate and make the SAN a UPN, it still does NOT add it.

Is there anything else I might be missing? This is a flat out vanilla
environment. Do i need to change the format of the request? Can it be
PKCS10? etc... I am grasping at straws here as I need to get this working
ASAP! :)

Cheers
Shaun.

"Vishal Agarwal[MSFT]" <vis...@online.microsoft.com> wrote in message
news:eHUxMELp...@tk2msftngp13.phx.gbl...

Paul Adare - MVP - Microsoft Virtual PC

unread,
Sep 28, 2004, 6:26:34 AM9/28/04
to
In article <OvT3eDUp...@TK2MSFTNGP10.phx.gbl>, in the
microsoft.public.security.crypto news group, Shaun Ryan
<msfo...@email.shaunryan.com> says...

> Is there anything else I might be missing? This is a flat out vanilla
> environment. Do i need to change the format of the request? Can it be
> PKCS10? etc... I am grasping at straws here as I need to get this working
> ASAP! :)
>

Can you try one, or both, of the following:

1. In your .inf file, change the RequestType = PKCS10 to RequestType =
CMC.
2. If you must use PKCS10, don't put the SAN entry in the .inf file,
specify it on the command line when submitting your request:
certreq -submit -attrib "SAN:dns=whatever"...

Hopefully, this will resolve the issue for you.

--
Paul Adare

Shaun Ryan

unread,
Sep 28, 2004, 6:49:34 AM9/28/04
to
Paul - you absolute LEGEND!!!!

CMC fixed it! :)

"Paul Adare - MVP - Microsoft Virtual PC" <pad...@newsguy.com> wrote in
message news:MPG.1bc306643...@msnews.microsoft.com...

Shaun Ryan

unread,
Sep 28, 2004, 7:08:26 AM9/28/04
to
Also many thanks to David Cross and Vishal.

As I was also missing that reg key which is required!

"Shaun Ryan" <msfo...@email.shaunryan.com> wrote in message

news:eKHRdkUp...@TK2MSFTNGP10.phx.gbl...

0 new messages