|
Posted by Kris on October 2, 2007, 10:22 am
Please log in for more thread options
I have installed two Win2003 Standard edition servers. I use one as a
standalone root CA. The second is a standalone (no enterprise)
subordinate CA.
I can succesfully generate a certificate request with certreq.exe that
looks like this:
*Subject:*
-E=email@domain.com
CN=Name
OU=Unit5
T=title
SN=123456
O=org
C=BE-
The certificate is send to the subordinate CA for signing. The
certificate is signed without errors. But when I view the certificate
the 'T' and 'SN' fields are not in the resulting certificate. And mu
subject looks like this:
*Subject:*
-E=email@domain.com
CN=Name
OU=Unit5
O=org
C=BE-
Is there any way to change this behaviour? Does MS PKI only allow
certain fields? While 'T' and 'SN' are know fields in the certificate
world.
If I use 'S=123456' for instance I don't have any problems.
All feedback is very much appreciated.
Kris
--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=827315
http://forums.techarena.in
|
|
Posted by Kris on October 3, 2007, 3:52 am
Please log in for more thread options
So far, I have found out that the fields that 'work' are:
CN, OU, E ,O, L, S, C
But no other...
--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=827315
http://forums.techarena.in
|
|
Posted by Martin Rublik on October 3, 2007, 12:15 pm
Please log in for more thread options Hi,
maybe this link is going to be useful
http://technet2.microsoft.com/windowsserver/en/library/7fe116af-971b-44d3-809e-00606c080a191033.mspx?mfr=true
check out the following
-SNIP-
SubjectTemplate
Registry Path
\CertSvc\Configuration\CAName\SubjectTemplate
Version
Windows Server 2003 and Windows 2000 Server
This setting contains an ordered list of the subject relative distinguished name
elements that are allowed in the Subject field of certificates issued by the CA.
This setting can only be set to a small, fixed list of relative distinguished
name elements supported by the CA. If during request processing a listed
relative distinguished name field is empty, or if the field is not populated by
the request Subject field or by the policy module, the element will not be
included. If the registry value is completely empty, the binary subject encoding
from the request is passed through to the issued certificate unmodified.
-SNIP-
Default setting is
EMail
CommonName
OrganizationalUnit
Organization
Locality
State
DomainComponent
Country
Which are those fields that 'work' in your case.
HTH
Martin
Kris wrote:
> So far, I have found out that the fields that 'work' are:
>
> CN, OU, E ,O, L, S, C
>
> But no other...
>
>
|
|
Posted by Brian Komar on October 3, 2007, 8:00 pm
Please log in for more thread options Don't forget DC <G>
I am not are of any formal listing that is public information.
Brian
>
> So far, I have found out that the fields that 'work' are:
>
> CN, OU, E ,O, L, S, C
>
> But no other...
>
>
> --
> Kris
> ------------------------------------------------------------------------
> Kris's Profile: http://forums.techarena.in/member.php?userid=30895
> View this thread: http://forums.techarena.in/showthread.php?t=827315
>
> http://forums.techarena.in
>
|
|
Posted by Kris on October 4, 2007, 8:40 am
Please log in for more thread options
Thanks a lot Martin
That solution you provided works perfectly. I can now use T (title)
also.
I didn't see that website your referred too before, was quiet
helpfull.
I still have one problem that remains:
My sub ca does not add the Basiccontraint extension to the certificate.
Furthermore I also like to make it critical. While I can successfully
generate the request that contains these parameters:
c:\pki\test>certutil.exe -setextension 25 2.5.29.19 1 @bc.txt
0000 30 00 0.
certutil: -setextension command completed successfully.
The resulting certificate doesn't contain it.
I have also done the following but no change... Any idea's?
c:\pki\test>certutil -setreg policy\editflags
-editf_basicconstraintscritical
system\currentcontrolset\services\certsvc\configuration\kfbn-frnb
issuing ca class a\policymodules\certificate
authority_microsoftdefault.policy\editflags:
old value:
editflags reg_dword = 83e6 (33766)
editf_requestextensionlist -- 2
editf_disableextensionlist -- 4
editf_attributeenddate -- 20 (32)
editf_basicconstraintscritical -- 40 (64)
editf_basicconstraintsca -- 80 (128)
editf_enableakikeyid -- 100 (256)
editf_attributeca -- 200 (512)
editf_attributeeku -- 8000 (32768)
new value:
editflags reg_dword = 83a6 (33702)
editf_requestextensionlist -- 2
editf_disableextensionlist -- 4
editf_attributeenddate -- 20 (32)
editf_basicconstraintsca -- 80 (128)
editf_enableakikeyid -- 100 (256)
editf_attributeca -- 200 (512)
editf_attributeeku -- 8000 (32768)
Kris
--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816171
http://forums.techarena.in
|
| Similar Threads | Posted | | Win2003 PKI : certreq.exe 'keyusage=0xb8' in policy.inf BUG | September 12, 2007, 9:10 am |
| change ca certifiactes' subject name | September 21, 2005, 12:36 pm |
| certreq with name-format "Lastname, Firstname" | November 17, 2006, 7:09 am |
| Ceritifcate Services Autoenrollment Subject Name Format | April 23, 2006, 4:33 pm |
| CA certificate template custom subject name format | January 9, 2007, 1:49 pm |
| CA certificate template custom subject name format | January 16, 2007, 12:11 am |
| Special Permission for folders and files | January 12, 2006, 12:04 pm |
| special permissions on folder don't work | April 28, 2006, 1:54 am |
| How to set special folder permissions in a script? | May 18, 2006, 10:02 am |
| ntfs special permission question | September 1, 2006, 1:50 pm |
|
XML Sitemap