Re: CERTREQ for smart card not working
From: Steve Patrick (nospam_at_nospam)
Date: 02/12/05
- Previous message: Raghu Malpani: "RE: How to enumerator local user accounts?"
- In reply to: Benjy: "CERTREQ for smart card not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 20:25:37 -0800
Here is how one would do this - or at least how I would do it ;oP
1.. By default, a Windows 2003 Server CA does not permit subject
alternative names that are specified in a certificate request to be accepted
and inserted in the issued certificate. This applies for both stand-alone
and enterprise CAs. So do this from a command line:
CERTUTIL -setreg policy\EditFlags
+EDITF_ATTRIBUTESUBJECTALTNAME2
Then cycle the certificate services.
2.. Create an INF file which looks like this:
[Version]
Signature= "$Windows NT$"
[NewRequest]
KeySpec = 1
KeyUsage = 0x30
Providertype = 1
RequesterName = Crisco0\Administrator
RequestType = CMC
ProviderName = "Gemplus GemSAFE Card CSP"
Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"
KeyContainer = "SCTEST"
KeyLength = 512
[RequestAttributes]
CertificateTemplate = SpatsSmartCard
Where:
CertificateTemplate == name of custom V2 template
ProviderName == CSP needed
RequesterName == name of enrollment agent logged in and has enrollment cert.
See
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
for more info on the syntax
3.. Modify the V2 template in the Subject Name tab - so we can provide the
Subject in the request.
4.. Publish the template to your Enterprise CA
5.. From your enrollment station do the following:
C:\certutil>certreq -new inf.txt inf.req
(PROMPTED FOR PIN - ENTER PIN)
C:\certutil>certreq -sign inf.req inf_signed.req
(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)
C:\certutil>certreq -attrib "SAN:upn=sctest@crisco.com" -submit
inf_signed.req inf_cert.cer
RequestId: 57
Certificate retrieved(Issued) Issued
C:\certutil>certreq -accept inf_cert.cer
(PROMPTED FOR PIN - ENTER PIN)
Now logon with the smartcard and you should logon as the user specified in
the UPN you provided.
Steve
"Benjy" <benjy@xpert.com> wrote in message
news:%234K6ew2DFHA.3376@TK2MSFTNGP12.phx.gbl...
> Hi,
> I am trying to issue smart card certificate (Ver 2 template
> on Win2003) on behalf of another user using certreq and
> ..inf file. The command is being run on a RA i.e. machine
> has enrollment agent certificate installed. Firstly, should
> this work?
> I am getting this error. Below is the inf file used.
> Thanks!
>
> C:\>certreq test.inf
> certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)
> 1401.1715.0: 0x8009310b (ASN: 267)
> 1401.2150.0: 0x8009310b (ASN: 267)
> 1401.2647.0: 0x8009310b (ASN: 267)
> 1401.6903.0: 0x8009310b (ASN: 267)
> 1401.7080.0: 0x8009310b (ASN: 267)
> Certificate Request Processor: ASN1 bad tag value met.
> 0x8009310b (ASN:
>
>
>
> [NewRequest]
> Subject ="CN=user,CN=Users,DC=domain,DC=lab"
> KeySpec = 2
> KeyLength = 1024
> Exportable = FALSE
> UserProtected = FALSE
> MachineKeySet = FALSE
> SMIME = FALSE
> PrivateKeyArchive = FALSE
> UserProtected=FALSE
> USeExistingKeySet = FALSE
> ProviderName = "ActivCard Gold Cryptographic Service Provider"
> ProviderType = 1
> RequesterName = Domain\Administrator
> RequestType = CMC
> KeyUsage = 0xa0
>
> [RequestAttributes]
> CertificateTemplate = SMartCard User
>
>
- Previous message: Raghu Malpani: "RE: How to enumerator local user accounts?"
- In reply to: Benjy: "CERTREQ for smart card not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
