Re: How to renew a certificate programmicaly
From: Vishal Agarwal[MSFT] (vishala_at_online.microsoft.com)
Date: 05/27/04
- Next message: Eugene Mayevski: "The standard that defines certificate renewal"
- Previous message: Rhett Gong [MSFT]: "Re: Secure dynamic updates on Windows 2003 DNS Server"
- In reply to: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Next in thread: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Reply: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 May 2004 23:29:13 -0700
The likely reason is that the signing cert's (the old cert's) Subject Alt
Name 2 extension must contain a UPN entry, the impersonated caller context
must map to a valid user object in the DS that also contains a UPN, and the
two UPNs must match.
Since this is referencing an offline template, the DS is not even queried
for the caller's UPN, so the renewal UPN matching requirements cannot be
met.
Thanks,
Vishal Agarwal [MSFT]
-- This posting is provided "AS IS" with no warranties, and confers no rights "Alon Bar-Lev" <alon@xor-t.com> wrote in message news:enBjov1QEHA.396@TK2MSFTNGP12.phx.gbl... > > Thank you Vishal, > > Yes I think the request is correctly signed, since it is working if I remove > the application policy restriction. Please notice that the application > policy restriction is "Enrollment Agent" and that the "old certificate" does > not have this application policy. > > I cannot see this template in the MMC snapin, I guess it is because it has > "X number of authotized signatures" and "Subject details supply in request". > > Attached is a sample of pkcs#7 that I am generating... > (I am selecting the template name at enrollment form, I also put it in the > request, but it seems to have no effect). > > I will be glad to know what I am doing wrong! > > Best Regards, > Alon Bar-Lev > > > > "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message > news:e7rFNV0QEHA.1392@TK2MSFTNGP09.phx.gbl... > > This should have worked unless wrong certificate was used in the > > renewalCertificate. Are you sure that the request is created correctly? > > > > If you have the certificate installed in the user store, you can open > > certificate snapin and then right click on the certificate and choose > "renew > > with same key", if that succeeds then likely the request you are creating > is > > wrong. > > > > Thanks, > > Vishal Agarwal [MSFT] > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no rights > > "Alon Bar-Lev" <alon@xor-t.com> wrote in message > > news:upoj5R0PEHA.556@TK2MSFTNGP10.phx.gbl... > > > Thank you Vishal, > > > > > > The problem was that the certificate context of the RenewalCertificate > > > property should have a private key, and that the format of the > > createReuqest > > > should be PKCS#7. (My mistake was that I thought the interface is able > to > > > generate the PKCS#10 request with the proper attributes...) > > > > > > Now, After I succeed in creating a renew request, I have a new problem > > with > > > the templates... > > > I want to define a template when the first certificate is issued by an > RAO > > > and the renewal is based on the user certificate. > > > I defined a template with this Issuance Requirements: > > > - This number of authorized signatures: 1 > > > - Policy type: Application Policy > > > - Application Policy: Certificate Request Agent > > > - Require the following for reenrollment: Valid Existing Certificate. > > > My template also has Subject Name: Supply in the request. > > > > > > As I understand this template requires a "Certificate Request Agent" > > > signature for the first issuance, but the user can renew his certificate > > > anytime with the signature of his current certificate. > > > > > > The error message I get: > > > Your Request Id is 74. The disposition message is "Denied by Policy > Module > > > 0x8009480b, The Test-Authentication-Renew-Exportable Certificate > Template > > > requires 1 signatures, but only 0 were accepted. > > > > > > I've also tried to set my CA system time to a date that is within the > > > renewal period... but it still does not work. > > > > > > If I remove the the "This number of authorized signatures: 1" from the > > > template, the renew works correctly! > > > > > > Any Idea? > > > Best Regards, > > > Alon Bar-Lev > > > > > > > > > > > > >
- Next message: Eugene Mayevski: "The standard that defines certificate renewal"
- Previous message: Rhett Gong [MSFT]: "Re: Secure dynamic updates on Windows 2003 DNS Server"
- In reply to: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Next in thread: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Reply: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
