Click here to get back home

2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req matt.kerr 06-04-2007
Posted by matt.kerr on June 4, 2007, 1:56 pm
Please log in for more thread options
 Hello Micorsoft security gurus,

I'm currently trying to test a PKI architecture system where I have an
OpenSSL-based UNIX SSL client and server and a Windows Server 2003
Standard Edition with Certificate Services for the CA. If I generate
a PKCS #10 PEM and use the COM Interop in C# to submit and retrieve
the requested certificate programmatically, I can only get the error:

"The certificate has invalid policy. 0x800b0113"
"Error Constructing or Publishing Certificate Resubmitted by <DOMAIN/
USER>"

Where <DOMAIN/USER> is a local Administrator for the CA box logged in
locally and using the C# program to submit the request file off a USB
drive to the Certificate Services, then retrieve the issued
certificate into a file on the USB drive.

If I generate PKCS#10 request files using the COM Interop with XEnroll
then I can get the certificates to issue properly, but never with the
OpenSSL generated ones.

The OpenSSL generated ones look like, using the command:

openssl req -noout -text -inform pem -in <file>.p10

Data:
Version: 0 (0x0)
Subject: CN=<Fully qualified hostname>
Subject Public Key Info: Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
<snip>
Exponent: 17
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment

Signature Algorithm: sha1WithRSAEncryption
<snip>

The snipped bits are the hex outputs of the binary portions.

I've tried several different things such as changing the Subject to
use just the hostname, adding/removing "critical" from the extended
and regular key usage flags, adding/removing a CA=FALSE flag, removing
all regular key usage flags and just have the extended flags, etc.
Nothing seemed to make any difference, although once I had a different
error relating to an ASN1 tag value being invalid.


Posted by Martin Rublik on June 5, 2007, 5:18 am
Please log in for more thread options
 Hi,

what kind of CA are you using? Is it standalone CA or enterprise CA?
Could you please post a test PKCS#10 base 64 encoded request that is
failing?

Regards

Martin



matt.kerr@gmail.com wrote:
> Hello Micorsoft security gurus,
>
> I'm currently trying to test a PKI architecture system where I have an
> OpenSSL-based UNIX SSL client and server and a Windows Server 2003
> Standard Edition with Certificate Services for the CA. If I generate
> a PKCS #10 PEM and use the COM Interop in C# to submit and retrieve
> the requested certificate programmatically, I can only get the error:
>
> "The certificate has invalid policy. 0x800b0113"
> "Error Constructing or Publishing Certificate Resubmitted by <DOMAIN/
> USER>"
>
> Where <DOMAIN/USER> is a local Administrator for the CA box logged in
> locally and using the C# program to submit the request file off a USB
> drive to the Certificate Services, then retrieve the issued
> certificate into a file on the USB drive.
>
> If I generate PKCS#10 request files using the COM Interop with XEnroll
> then I can get the certificates to issue properly, but never with the
> OpenSSL generated ones.
>
> The OpenSSL generated ones look like, using the command:
>
> openssl req -noout -text -inform pem -in <file>.p10
>
> Data:
> Version: 0 (0x0)
> Subject: CN=<Fully qualified hostname>
> Subject Public Key Info: Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> <snip>
> Exponent: 17
> Attributes:
> Requested Extensions:
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment
>
> Signature Algorithm: sha1WithRSAEncryption
> <snip>
>
> The snipped bits are the hex outputs of the binary portions.
>
> I've tried several different things such as changing the Subject to
> use just the hostname, adding/removing "critical" from the extended
> and regular key usage flags, adding/removing a CA=FALSE flag, removing
> all regular key usage flags and just have the extended flags, etc.
> Nothing seemed to make any difference, although once I had a different
> error relating to an ASN1 tag value being invalid.
>

Posted by matt.kerr on June 5, 2007, 1:21 pm
Please log in for more thread options
> Hi,
>
> what kind of CA are you using? Is it standalone CA or enterprise CA?
> Could you please post a test PKCS#10 base 64 encoded request that is
> failing?
>
> Regards
>
> Martin

I'm using a stand-alone CA. Here is an example request made in
OpenSSL. I'm thinking it may have to do with ASN.1 formatting and the
use of the OpenSSL API. Our situation demands we can't use the
command line utility in OpenSSL to make the requests, so I'm looking
at the following page: http://msdn2.microsoft.com/en-US/library/aa379076.aspx

and using Peter Guttman's dumpasn1 utility to view the binary
requests:
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg

-----BEGIN CERTIFICATE REQUEST-----
MIIB+DCCAWECAQAwIzEhMB8GA1UEAxMYVy1TTllERVJSMi5oZS5hZC5pZ3QuY29t
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCrjSkTSyIJ5Hj+Q+PhWdjbU8T9
SVmhjm0CMP7DM+29u4GqKabXeeDDG2l1mkwYpLcdaUMHvjGtG6V70jqdro7BTfVu
OS+5joX0l634NlcZtLnZj+YrllBwKtoCA9SDIPsxgha5SfEy0Zg/6+6e3MOqcCA2
F+xByquB5YE+oamzwwIBEaCBljCBkwYJKoZIhvcNAQkOMYGFMIGCMEMGA1UdJQQ8
VExTIFdlYiBTZXJ2ZXIgQXV0aGVudGljYXRpb24sIFRMUyBXZWIgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uMDsGA1UdDwQ0RGlnaXRhbCBTaWduYXR1cmUsIE5vbiBSZXB1
ZGlhdGlvbiwgS2V5IEVuY2lwaGVybWVudDANBgkqhkiG9w0BAQUFAAOBgQBrU7iV
Qt2htqH2z1Zk59oXFEAHB6P0Vg8I2VP2NXTPfh1nV8v87o08W1VqrjQb/eVEutNA
ILCcCJm56D3MBUI7e0IMkRoO2EDPqIr9mhcxkxqv5sjfmtTS2FRLHS2IHZtMYxUb
zzReVz2s5ctNuQ9lIFSB/nv/zpWFYRvRXCFrDA==
-----END CERTIFICATE REQUEST-----


Posted by Martin Rublik on June 6, 2007, 4:01 am
Please log in for more thread options
Hi I suppose that this is your problem:

according to certutil -dump request.txt this is what shows up

<snip>
Certificate Extensions: 2
2.5.29.37: Flags = 0, Length = 3c
Enhanced Key Usage
Unknown Extension type

0000 54 4c 53 20 57 65 62 20 53 65 72 76 65 72 20 41 TLS Web Server A
0010 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 2c 20 54 uthentication, T
0020 4c 53 20 57 65 62 20 43 6c 69 65 6e 74 20 41 75 LS Web Client Au
0030 74 68 65 6e 74 69 63 61 74 69 6f 6e thentication

2.5.29.15: Flags = 0, Length = 34
Key Usage
Unknown Extension type

0000 44 69 67 69 74 61 6c 20 53 69 67 6e 61 74 75 72 Digital Signatur
0010 65 2c 20 4e 6f 6e 20 52 65 70 75 64 69 61 74 69 e, Non Repudiati
0020 6f 6e 2c 20 4b 65 79 20 45 6e 63 69 70 68 65 72 on, Key Encipher
0030 6d 65 6e 74 ment
<snip>

The trouble is "Unknown Extension Type".

The Enhanced Key Usage should be a sequence of OID rather than a string.

Key Usage is specified as a bit string. Each bit represents different key usage.

keyUsage EXTENSION ::= {
        SYNTAX KeyUsage
        IDENTIFIED BY id-ce-keyUsage }
KeyUsage ::= BIT STRING {
        digitalSignature (0),
        nonRepudiation (1),
        keyEncipherment (2),
        dataEncipherment (3),
        keyAgreement (4),
        keyCertSign (5),
        cRLSign (6),
        encipherOnly (7),
        decipherOnly (8) }

For example if you want to have key usage digital signature, non repudiation,
key encipherment you need to set digitalsignature bit (0) to 1, nonRepudiation
bit (1) to 1 and key encipherment bit (2) to 1.

I'm not very familiar with openssl but I suppose you're mixing "req_extensions"
with "attributes". Here is what worked for me.

To generate an OpenSSL request I used:

openssl req -new -config file.cfg -out request.txt

And file.cfg is here:

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
output_password = 1234

[ req_distinguished_name ]
C = GB
ST = Test State or Province
L = Test Locality
O = Organization Name
OU = Organizational Unit Name
CN = Common Name
emailAddress = test@email.address

[ req_ext ]
keyUsage=digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage=serverAuth, clientAuth

Another alternative how to generate a request from command line is certreq
utility. You can find more info about requesting with certreq here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

HTH

Regards

Martin


matt.kerr@gmail.com wrote:
>> Hi,
>>
>> what kind of CA are you using? Is it standalone CA or enterprise CA?
>> Could you please post a test PKCS#10 base 64 encoded request that is
>> failing?
>>
>> Regards
>>
>> Martin
>
> I'm using a stand-alone CA. Here is an example request made in
> OpenSSL. I'm thinking it may have to do with ASN.1 formatting and the
> use of the OpenSSL API. Our situation demands we can't use the
> command line utility in OpenSSL to make the requests, so I'm looking
> at the following page: http://msdn2.microsoft.com/en-US/library/aa379076.aspx
>
> and using Peter Guttman's dumpasn1 utility to view the binary
> requests:
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIB+DCCAWECAQAwIzEhMB8GA1UEAxMYVy1TTllERVJSMi5oZS5hZC5pZ3QuY29t
> MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCrjSkTSyIJ5Hj+Q+PhWdjbU8T9
> SVmhjm0CMP7DM+29u4GqKabXeeDDG2l1mkwYpLcdaUMHvjGtG6V70jqdro7BTfVu
> OS+5joX0l634NlcZtLnZj+YrllBwKtoCA9SDIPsxgha5SfEy0Zg/6+6e3MOqcCA2
> F+xByquB5YE+oamzwwIBEaCBljCBkwYJKoZIhvcNAQkOMYGFMIGCMEMGA1UdJQQ8
> VExTIFdlYiBTZXJ2ZXIgQXV0aGVudGljYXRpb24sIFRMUyBXZWIgQ2xpZW50IEF1
> dGhlbnRpY2F0aW9uMDsGA1UdDwQ0RGlnaXRhbCBTaWduYXR1cmUsIE5vbiBSZXB1
> ZGlhdGlvbiwgS2V5IEVuY2lwaGVybWVudDANBgkqhkiG9w0BAQUFAAOBgQBrU7iV
> Qt2htqH2z1Zk59oXFEAHB6P0Vg8I2VP2NXTPfh1nV8v87o08W1VqrjQb/eVEutNA
> ILCcCJm56D3MBUI7e0IMkRoO2EDPqIr9mhcxkxqv5sjfmtTS2FRLHS2IHZtMYxUb
> zzReVz2s5ctNuQ9lIFSB/nv/zpWFYRvRXCFrDA==
> -----END CERTIFICATE REQUEST-----
>

Posted by matt.kerr on June 15, 2007, 7:06 pm
Please log in for more thread options
> Hi I suppose that this is your problem:
>
> according to certutil -dump request.txt this is what shows up
>
> <snip>

> The trouble is "Unknown Extension Type".
>
> The Enhanced Key Usage should be a sequence of OID rather than a string.
>
> Key Usage is specified as a bit string. Each bit represents different key
usage.

Yes, you are absolutely correct. I realized that we were building the
certificate request in OpenSSL incorrectly, and it was causing the
output to be incorrect. By referencing the Apple Darwin OpenSSL
documentation and the O'Reilly book "Network Security with
OpenSSL" (chapter 3 and 10) we got all the flag names we needed and
built the extensions properly on the request.


Similar ThreadsPosted
cert submitt error July 18, 2005, 9:56 am
Requesting Code signing cert from cert services November 4, 2005, 12:11 pm
Error issuing certificates from WS03 cert svc April 17, 2007, 4:53 pm
KDC service hangs on start + cert error in event log at every boot March 30, 2007, 2:58 am
CA cert renew July 18, 2007, 9:07 am
MS Cert Services and PGP interoperability December 20, 2005, 11:07 pm
SSL Web Server Cert Question November 30, 2006, 5:32 pm
Re: Expired SSL cert for LDAPS June 14, 2007, 1:24 pm
Relation between original and revoked cert? January 18, 2006, 7:54 am
Win2K3 CA, web cert request problem June 26, 2006, 9:47 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap