HowTo: Use certreq.exe with a smartcard enrollment agent
I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say - what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok ... use MSN Search or at least try it before google and give it a chance)
I was looking through some newsgroup posts and found this:
https://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0108.html
The basic problem as described in the post is:
I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?
I am getting this error. Below is the inf file used.
Thanks!
C:\>certreq test.inf
certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)
1401.1715.0: 0x8009310b (ASN: 267)
1401.2150.0: 0x8009310b (ASN: 267)
1401.2647.0: 0x8009310b (ASN: 267)
1401.6903.0: 0x8009310b (ASN: 267)
1401.7080.0: 0x8009310b (ASN: 267)
Certificate Request Processor: ASN1 bad tag value met.
0x8009310b (ASN:
Before we begin.. a few notes:
1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it......
2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo
Anywho....
Here is how one would do this - or at least how I would do it ;oP
- By default, a Windows 2003 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs. So do this from a command line:
CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Then cycle the certificate services.
- Create an INF file which looks like this:
[Version]
Signature= "$Windows NT$"
[NewRequest]
KeySpec = 1
KeyUsage = 0x30
Providertype = 1
RequesterName = Crisco0\Administrator
RequestType = CMC
ProviderName = "Gemplus GemSAFE Card CSP"
Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"
KeyContainer = "SCTEST"
KeyLength = 512
[RequestAttributes]
CertificateTemplate = SpatsSmartCard
Where:
CertificateTemplate == name of custom V2 template
ProviderName == CSP needed
RequesterName == name of enrollment agent logged in and has enrollment cert.
See https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
for more info on the syntax
- Modify the V2 template in the Subject Name tab – so we can provide the Subject in the request.
- Publish the template to your Enterprise CA
- From your enrollment station do the following:
C:\certutil>certreq -new inf.txt inf.req
(PROMPTED FOR PIN - ENTER PIN)
C:\certutil>certreq -sign inf.req inf_signed.req
(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)
C:\certutil>certreq -attrib "SAN:upn=sctest@crisco.com" -submit inf_signed.req inf_cert.cer
RequestId: 57
Certificate retrieved(Issued) Issued
C:\certutil>certreq -accept inf_cert.cer
(PROMPTED FOR PIN - ENTER PIN)
Now logon with the smartcard and you should logon as the user specified in the UPN you provided.
Have fun!
Spat
Comments
Anonymous
May 09, 2005
I was lurking at Activedir.org mailing list and saw a question that brought my attension. The guy wanted to be able to use LDAPS when querying the DC by it's alias and was being rejected as the DCs cert did not include the alias either in the certificate'Anonymous
March 16, 2007
This same error "0x8009310b (ASN: 267)" happens if someone submits an encrypted private key, instead of the csr, when requesting an SSL certificate.Anonymous
June 27, 2008
PingBack from http://karlee.ridgework.com/0x8009310b.htmlAnonymous
November 26, 2008
The comment has been removedAnonymous
December 01, 2008
Cool - sorry for the lack of documentation Check this paper out: http://technet.microsoft.com/en-us/library/cc736326.aspx spatAnonymous
July 06, 2010
This was very helpful!