Re: How to renew a certificate programmicaly
From: Alon Bar-Lev (alon_at_xor-t.com)
Date: 06/02/04
- Next message: Alon Bar-Lev: "Re: DPAPI protection credentials used with smartcard logons"
- Previous message: John Banes [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- In reply to: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Next in thread: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Reply: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Jun 2004 10:55:51 +0200
Thank you Vishal,
Again, I don't understand what the UPN has to do with renewal process...
1. The certificate renewal process is a process in which you prove you have
the current certificate by signing the renewal request using current
certificate's private key.
As I understand the process should be as follows:
i) The CA gets a PKCS#7 signed data.
ii) The CA verify the signature.
iii) The CA follows the old certificate extension and gets the old
certificate
iv) The CA checks that the old certificate is a signer of the PKCS#7
signed data.
v) The CA checks that the old certificate was issued by it.
vi) The CA determine target template by looking on the old certificate,
and that this template allows renewal.
vii) The CA copies all attributes and extensions from old certificate to
the new certificate.
viii) The CA override extensions if required by template.
This process should not validate any extension/attribute except of the
template and old certificate.
2. Most of certificates do not require UPN extension.
For example: Email signing, Web Server, Email encryption, IPSec, Web
client authentication, computer certificate, DC certificate do not have UPN
extension.
Should I understand that these certificate cannot be renewed?
3. There are certificates that does not represent a user... so there is no
active directory object for them... and even if there is an object... it
does not have an UPN attribute.
Again, these certificate cannot be renewed.
I need to implement the following scenario:
1. A user arrives to an enrollment officer, that have a smartcard with
"Certificate Enrollment Agent"
2. The enrollment officer request web server certificate based on PKCS#10.
3. The template of the web server certificate has the following attributes:
a. Subject - supply in request.
b. Issuance Requirement - Application Policy - Certificate Enrollment
Agent.
c. Reenrollment requirement - valid existing certificate.
d. Security - Everyone - Enroll.
4. ONLY enrollment officer can enroll that template. I cannot allow user to
issue a certificate without the officer.
5. The certificate does NOT have an UPN extension, since the web server is
not in active directory.
6. The user gets his certificate.
7. After a year or so... The user create a renewal request... using the same
template and his valid existing certificate.
8. The CA should allow this to happen, since the user had proved that he
owns the private key of the current certificate!
How can I make it work?
Can I disable this UPN check?
Best Regards,
Alon Bar-Lev
"Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message
news:OX1Qz1$REHA.3420@TK2MSFTNGP11.phx.gbl...
> To renew a certificate via an Enterprise CA, and to use the template
feature
> that specifically allows the same user to renew a certificate if and only
if
> that user holds an existing valid certificate for the same template
requires
> identity enforcement. This is done by making sure the templates in the old
> certificate and new request are the same, and by enforcing that the
subject
> UPN matches the old certificate UPN.
>
> If you don't want to enforce the identity match for renewal requests, then
> you are free to configure the template to eliminate the RA signature
> requirement for initial enrollment.
>
> Thanks,
> Vishal Agarwal [MSFT]
>
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
> "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> news:uebxTa9QEHA.568@TK2MSFTNGP12.phx.gbl...
> > Thank you Vishel,
> >
> > But I don't understand what the UPN has with the renewal process.
> > PKI processes should be a seperated from the Active Directory stuff.
> >
> > Should I understand is that Microsoft Enterprise CA does not support
> > renewing certificates that do not have UPN extension? I find it hard to
> > beleive.
> >
> > Can you please refer me to a document that specify the renew process?
> >
> > Best Regards,
> > Alon Bar-Lev.
> >
> >
> >
> > "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message
> > news:OEbP0P7QEHA.3612@TK2MSFTNGP10.phx.gbl...
> > > The likely reason is that the signing cert's (the old cert's) Subject
> Alt
> > > Name 2 extension must contain a UPN entry, the impersonated caller
> context
> > > must map to a valid user object in the DS that also contains a UPN,
and
> > the
> > > two UPNs must match.
> > >
> > > Since this is referencing an offline template, the DS is not even
> queried
> > > for the caller's UPN, so the renewal UPN matching requirements cannot
be
> > > met.
> > >
> > >
> > >
> > > Thanks,
> > > Vishal Agarwal [MSFT]
> > >
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights
> > > "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> > > news:enBjov1QEHA.396@TK2MSFTNGP12.phx.gbl...
> > > >
> > > > Thank you Vishal,
> > > >
> > > > Yes I think the request is correctly signed, since it is working if
I
> > > remove
> > > > the application policy restriction. Please notice that the
application
> > > > policy restriction is "Enrollment Agent" and that the "old
> certificate"
> > > does
> > > > not have this application policy.
> > > >
> > > > I cannot see this template in the MMC snapin, I guess it is because
it
> > has
> > > > "X number of authotized signatures" and "Subject details supply in
> > > request".
> > > >
> > > > Attached is a sample of pkcs#7 that I am generating...
> > > > (I am selecting the template name at enrollment form, I also put it
in
> > the
> > > > request, but it seems to have no effect).
> > > >
> > > > I will be glad to know what I am doing wrong!
> > > >
> > > > Best Regards,
> > > > Alon Bar-Lev
> > > >
> > > >
> > > >
> > > > "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in
message
> > > > news:e7rFNV0QEHA.1392@TK2MSFTNGP09.phx.gbl...
> > > > > This should have worked unless wrong certificate was used in the
> > > > > renewalCertificate. Are you sure that the request is created
> > correctly?
> > > > >
> > > > > If you have the certificate installed in the user store, you can
> open
> > > > > certificate snapin and then right click on the certificate and
> choose
> > > > "renew
> > > > > with same key", if that succeeds then likely the request you are
> > > creating
> > > > is
> > > > > wrong.
> > > > >
> > > > > Thanks,
> > > > > Vishal Agarwal [MSFT]
> > > > >
> > > > > --
> > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > rights
> > > > > "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> > > > > news:upoj5R0PEHA.556@TK2MSFTNGP10.phx.gbl...
> > > > > > Thank you Vishal,
> > > > > >
> > > > > > The problem was that the certificate context of the
> > RenewalCertificate
> > > > > > property should have a private key, and that the format of the
> > > > > createReuqest
> > > > > > should be PKCS#7. (My mistake was that I thought the interface
is
> > able
> > > > to
> > > > > > generate the PKCS#10 request with the proper attributes...)
> > > > > >
> > > > > > Now, After I succeed in creating a renew request, I have a new
> > problem
> > > > > with
> > > > > > the templates...
> > > > > > I want to define a template when the first certificate is issued
> by
> > an
> > > > RAO
> > > > > > and the renewal is based on the user certificate.
> > > > > > I defined a template with this Issuance Requirements:
> > > > > > - This number of authorized signatures: 1
> > > > > > - Policy type: Application Policy
> > > > > > - Application Policy: Certificate Request Agent
> > > > > > - Require the following for reenrollment: Valid Existing
> > Certificate.
> > > > > > My template also has Subject Name: Supply in the request.
> > > > > >
> > > > > > As I understand this template requires a "Certificate Request
> Agent"
> > > > > > signature for the first issuance, but the user can renew his
> > > certificate
> > > > > > anytime with the signature of his current certificate.
> > > > > >
> > > > > > The error message I get:
> > > > > > Your Request Id is 74. The disposition message is "Denied by
> Policy
> > > > Module
> > > > > > 0x8009480b, The Test-Authentication-Renew-Exportable Certificate
> > > > Template
> > > > > > requires 1 signatures, but only 0 were accepted.
> > > > > >
> > > > > > I've also tried to set my CA system time to a date that is
within
> > the
> > > > > > renewal period... but it still does not work.
> > > > > >
> > > > > > If I remove the the "This number of authorized signatures: 1"
from
> > the
> > > > > > template, the renew works correctly!
> > > > > >
> > > > > > Any Idea?
> > > > > > Best Regards,
> > > > > > Alon Bar-Lev
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Alon Bar-Lev: "Re: DPAPI protection credentials used with smartcard logons"
- Previous message: John Banes [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- In reply to: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Next in thread: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Reply: Vishal Agarwal[MSFT]: "Re: How to renew a certificate programmicaly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
