Spat's WebLog (Steve Patrick)

When things go wrong...

HowTo: Use certreq.exe with a smartcard enrollment agent

HowTo: Use certreq.exe with a smartcard enrollment agent

  • Comments 6

 

I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say - what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok ... use MSN Search or at least try it before google and give it a chance)

 

I was looking through some newsgroup posts and found this:

 

http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0108.html


The basic problem as described in the post is:

 

 

I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?

 

I am getting this error. Below is the inf file used.

 

Thanks!

 

 

C:\>certreq test.inf

certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)

1401.1715.0: 0x8009310b (ASN: 267)

1401.2150.0: 0x8009310b (ASN: 267)

1401.2647.0: 0x8009310b (ASN: 267)

1401.6903.0: 0x8009310b (ASN: 267)

1401.7080.0: 0x8009310b (ASN: 267)

Certificate Request Processor: ASN1 bad tag value met.

0x8009310b (ASN:

 

 

Before we begin.. a few notes:

 

 

1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it......

 

2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo

 

 

Anywho....

 

 

Here is how one would do this - or at least how I would do it ;oP

 

  1. By default, a Windows 2003 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs.  So do this from a command line:

 

            CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

 

Then cycle the certificate services.

 

  1. Create an INF file which looks like this:

 

[Version]

Signature= "$Windows NT$"

 

[NewRequest]

KeySpec = 1

KeyUsage = 0x30

Providertype = 1

RequesterName = Crisco0\Administrator

RequestType = CMC

ProviderName = "Gemplus GemSAFE Card CSP"

Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"

KeyContainer = "SCTEST"

KeyLength = 512

 

 

 

[RequestAttributes]

CertificateTemplate = SpatsSmartCard    

 

Where:

CertificateTemplate == name of custom V2 template

ProviderName  == CSP needed

RequesterName == name of enrollment agent logged in and has enrollment cert.

 

See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

for more info on the syntax

 

 

  1. Modify the V2 template in the Subject Name tab – so we can provide the Subject in the request.

 

  1. Publish the template to your Enterprise CA

 

  1. From your enrollment station do the following:

 

C:\certutil>certreq -new inf.txt inf.req

(PROMPTED FOR PIN - ENTER PIN)

 

C:\certutil>certreq -sign inf.req inf_signed.req

(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)

 

 

C:\certutil>certreq -attrib "SAN:upn=sctest@crisco.com" -submit inf_signed.req inf_cert.cer

RequestId: 57

Certificate retrieved(Issued) Issued

 

 

C:\certutil>certreq -accept inf_cert.cer

(PROMPTED FOR PIN - ENTER PIN)

 

Now logon with the smartcard and you should logon as the user specified in the UPN you provided.

 

 

 

Have fun!

 

Spat

 

 

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
  • I was lurking at Activedir.org mailing list and saw a question that brought my attension. The guy wanted to be able to use LDAPS when querying the DC by it's alias and was being rejected as the DCs cert did not include the alias either in the certificate'
  • This same error "0x8009310b (ASN: 267)" happens if someone submits an encrypted private key, instead of the csr, when requesting an SSL certificate.

  • PingBack from http://karlee.ridgework.com/0x8009310b.html

  • I had to quickly learn how to use certreq.exe and found this one of the few helpful posts on the web.  I would have killed to have had an example INF & instructions walking through the process that fit my needs... since I figured it out, here's just that!

    I created a file called router.inf. It's contents looked like this :

    -----------------------------------

    [NewRequest]

    Exportable = TRUE

    KeyLength=1024

    KeySpec = 2

    KeyUsage = 0xa0

    MachineKeySet = FALSE

    Requestername = DOMAIN\VpnUserName

    Subject = "CN=VpnUserName"

    [EnhancedKeyUsageExtension]

    OID = 1.3.6.1.5.5.7.3.2

    [RequestAttributes]

    CertificateTemplate = "OfflineRouter"

    -------------------------------------

    I then walked through 3 commands at a command prompt :

    certreq -new router.inf router.req

    certreq -submit router.req

    certreq -accept router.cer

    Since having the INF specify to install it directly to the machine store produced a cert there that claimed to have the private key, but did not work, I specified to have it install into the user store then exported the key, including the private key and imported it to the machine store.

    VOILA!  My RRAS box could connect to the remote network using EAP-TLS auth for a PPTP VPN tunnel.

  • Cool - sorry for the lack of documentation

    Check this paper out:

    http://technet.microsoft.com/en-us/library/cc736326.aspx

    spat

  • This was very helpful!

Page 1 of 1 (6 items)