[Pki-users] Assistance with creating and submitting a Windows LDAPS Certificate; PKI 10.3.3
Richard Harmonson
richard.harmonson at gmail.com
Wed Oct 18 02:08:15 UTC 2017
On Tue, Oct 17, 2017 at 5:03 PM, Fraser Tweedale <ftweedal at redhat.com>
wrote:
> On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote:
> > I created a certificate request using certreq.exe and the prerequisite
> > request.info on a Windows Server 2012R2 DC--references and details given
> > below.
> >
> > However, I receive the error "Sorry, your request is not submitted. The
> > reason is "Invalid Request." when attempting to submit "Manual Server
> > Certificate Enrollment" it to my Root CA.
> >
> > Am I using the wrong template profile? Is there a template that supports
> > OID=1.3.6.1.5.5.7.3.1?
> >
> Yes, this OID is configured in the server certificate profile. You
> don't need to include it in the CSR (but it doesn't hurt).
>
> There is something about the request that Dogtag does not like.
> Could you attach the CSR itself and/or the relevant portion of the
> /var/log/pki/pki-tomcat/ca/debug log file?
>
> Thanks,
> Fraser
>
> >
> > Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then
> > recovered from snap/backup to 10.3 for the error persisted with 10.4.
> >
> >
> > These are my primary references:
> >
> > https://support.microsoft.com/en-us/help/321051/how-to-
> > enable-ldap-over-ssl-with-a-third-party-certification-authority
> >
> > https://technet.microsoft.com/en-us/library/ff625722(v=ws.
> > 10).aspx#BKMK_Certreq
> >
> > Created the CSR by executing "certreq -new request.inf request.csr"
> >
> > The request.inf follows:
> >
> > ========================================
> > [Version]
> >
> > Signature="$Windows NT$
> >
> > [NewRequest]
> > Subject = "CN=ad.winauth.mydomain.net"
> > KeySpec = 1
> > KeyLength = 2048
> > Exportable = TRUE
> > MachineKeySet = TRUE
> > SMIME = False
> > PrivateKeyArchive = FALSE
> > UserProtected = FALSE
> > UseExistingKeySet = FALSE
> > ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> > ProviderType = 12
> > RequestType = PKCS10
> > KeyUsage = 0xa0
> >
> > [Extensions]
> > 2.5.29.17 = "dns=ad.winauth.mydomain.net&"
> > _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydo
> main,DC=net&"
> > _continue_ = "ipaddress=192.168.1.1&"
> >
>
I reviewed the suggested log, thank you, which clearly showed DogTag
complaining about something being provided in the CSR. I couldn't interpret
exactly what was the problem but I removed the one thing I had never done
before, the [Extensions] stanza with the SAN.
I successfully submitted!
What is the correct method to provide a 'Subject Alternative Name" in a CSR
to DogTag? Or am I going about this all wrong? I was intending to provide
FQDN, IP address, and DN in the SAN.
Thank you,
Richard
> > [EnhancedKeyUsageExtension]
> > OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
> > ========================================
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20171017/fe3f21f4/attachment.htm>
More information about the Pki-users
mailing list