[Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3
Fraser Tweedale
ftweedal at redhat.com
Wed Oct 18 00:03:26 UTC 2017
On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote:
> I created a certificate request using certreq.exe and the prerequisite
> request.info on a Windows Server 2012R2 DC--references and details given
> below.
>
> However, I receive the error "Sorry, your request is not submitted. The
> reason is "Invalid Request." when attempting to submit "Manual Server
> Certificate Enrollment" it to my Root CA.
>
> Am I using the wrong template profile? Is there a template that supports
> OID=1.3.6.1.5.5.7.3.1?
>
Yes, this OID is configured in the server certificate profile. You
don't need to include it in the CSR (but it doesn't hurt).
There is something about the request that Dogtag does not like.
Could you attach the CSR itself and/or the relevant portion of the
/var/log/pki/pki-tomcat/ca/debug log file?
Thanks,
Fraser
>
> Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then
> recovered from snap/backup to 10.3 for the error persisted with 10.4.
>
>
> These are my primary references:
>
> https://support.microsoft.com/en-us/help/321051/how-to-
> enable-ldap-over-ssl-with-a-third-party-certification-authority
>
> https://technet.microsoft.com/en-us/library/ff625722(v=ws.
> 10).aspx#BKMK_Certreq
>
> Created the CSR by executing "certreq -new request.inf request.csr"
>
> The request.inf follows:
>
> ========================================
> [Version]
>
> Signature="$Windows NT$
>
> [NewRequest]
> Subject = "CN=ad.winauth.mydomain.net"
> KeySpec = 1
> KeyLength = 2048
> Exportable = TRUE
> MachineKeySet = TRUE
> SMIME = False
> PrivateKeyArchive = FALSE
> UserProtected = FALSE
> UseExistingKeySet = FALSE
> ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> ProviderType = 12
> RequestType = PKCS10
> KeyUsage = 0xa0
>
> [Extensions]
> 2.5.29.17 = "dns=ad.winauth.mydomain.net&"
> _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydomain,DC=net&"
> _continue_ = "ipaddress=192.168.1.1&"
>
> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
> ========================================
More information about the Pki-users
mailing list