I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say - what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok ... use MSN Search or at least try it before google and give it a chance)
I was looking through some newsgroup posts and found this:
The basic problem as described in the post is:
I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?
I am getting this error. Below is the inf file used.
certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)
1401.1715.0: 0x8009310b (ASN: 267)
1401.2150.0: 0x8009310b (ASN: 267)
1401.2647.0: 0x8009310b (ASN: 267)
1401.6903.0: 0x8009310b (ASN: 267)
1401.7080.0: 0x8009310b (ASN: 267)
Certificate Request Processor: ASN1 bad tag value met.
Before we begin.. a few notes:
1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it...... 2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo Anywho....
1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it......
2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo
Here is how one would do this - or at least how I would do it ;oP
CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Then cycle the certificate services.
Signature= "$Windows NT$"
KeySpec = 1
KeyUsage = 0x30
Providertype = 1
RequesterName = Crisco0\Administrator
RequestType = CMC
ProviderName = "Gemplus GemSAFE Card CSP"
Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"
KeyContainer = "SCTEST"
KeyLength = 512
CertificateTemplate = SpatsSmartCard
CertificateTemplate == name of custom V2 template
ProviderName == CSP needed
RequesterName == name of enrollment agent logged in and has enrollment cert.
for more info on the syntax
C:\certutil>certreq -new inf.txt inf.req
(PROMPTED FOR PIN - ENTER PIN)
C:\certutil>certreq -sign inf.req inf_signed.req
(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)
C:\certutil>certreq -attrib "SAN:firstname.lastname@example.org" -submit inf_signed.req inf_cert.cer
Certificate retrieved(Issued) Issued
C:\certutil>certreq -accept inf_cert.cer
Now logon with the smartcard and you should logon as the user specified in the UPN you provided.
This same error "0x8009310b (ASN: 267)" happens if someone submits an encrypted private key, instead of the csr, when requesting an SSL certificate.
PingBack from http://karlee.ridgework.com/0x8009310b.html
I had to quickly learn how to use certreq.exe and found this one of the few helpful posts on the web. I would have killed to have had an example INF & instructions walking through the process that fit my needs... since I figured it out, here's just that!
I created a file called router.inf. It's contents looked like this :
Exportable = TRUE
KeySpec = 2
KeyUsage = 0xa0
MachineKeySet = FALSE
Requestername = DOMAIN\VpnUserName
Subject = "CN=VpnUserName"
OID = 126.96.36.199.188.8.131.52.2
CertificateTemplate = "OfflineRouter"
I then walked through 3 commands at a command prompt :
certreq -new router.inf router.req
certreq -submit router.req
certreq -accept router.cer
Since having the INF specify to install it directly to the machine store produced a cert there that claimed to have the private key, but did not work, I specified to have it install into the user store then exported the key, including the private key and imported it to the machine store.
VOILA! My RRAS box could connect to the remote network using EAP-TLS auth for a PPTP VPN tunnel.
Cool - sorry for the lack of documentation
Check this paper out:
This was very helpful!