Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req

Hi,

what kind of CA are you using? Is it standalone CA or enterprise CA?
Could you please post a test PKCS#10 base 64 encoded request that is failing?

Regards

Martin



matt.kerr@xxxxxxxxx wrote:
Hello Micorsoft security gurus,

I'm currently trying to test a PKI architecture system where I have an
OpenSSL-based UNIX SSL client and server and a Windows Server 2003
Standard Edition with Certificate Services for the CA. If I generate
a PKCS #10 PEM and use the COM Interop in C# to submit and retrieve
the requested certificate programmatically, I can only get the error:

"The certificate has invalid policy. 0x800b0113"
"Error Constructing or Publishing Certificate Resubmitted by <DOMAIN/
USER>"

Where <DOMAIN/USER> is a local Administrator for the CA box logged in
locally and using the C# program to submit the request file off a USB
drive to the Certificate Services, then retrieve the issued
certificate into a file on the USB drive.

If I generate PKCS#10 request files using the COM Interop with XEnroll
then I can get the certificates to issue properly, but never with the
OpenSSL generated ones.

The OpenSSL generated ones look like, using the command:

openssl req -noout -text -inform pem -in <file>.p10

Data:
Version: 0 (0x0)
Subject: CN=<Fully qualified hostname>
Subject Public Key Info: Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
<snip>
Exponent: 17
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment

Signature Algorithm: sha1WithRSAEncryption
<snip>

The snipped bits are the hex outputs of the binary portions.

I've tried several different things such as changing the Subject to
use just the hostname, adding/removing "critical" from the extended
and regular key usage flags, adding/removing a CA=FALSE flag, removing
all regular key usage flags and just have the extended flags, etc.
Nothing seemed to make any difference, although once I had a different
error relating to an ASN1 tag value being invalid.

.

Relevant Pages

  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... You need to change the CAPolicy.inf on the subordinate CA. CAPolicy.inf is used during the enrollment process and the request and its contents depends on the file. ... the request already contains key usage 0x86 described as above and the root CA is issuing a certificate based on that request. ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... I did manage to create a request ... Key Usage ... Certificate Signing, Off-line CRL Signing, CRL Signing ... Now I have an error when trying to install the certificate and start ...
    (microsoft.public.windows.server.security)
  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... request a computer certificate for about 9 months. ... and verify that you can get a computer/server certificate from it. ... List of NetBt transports currently bound to the Redir ... DNS Host Name: srvr3.domain.com ...
    (microsoft.public.windows.server.security)
  • RE: SIMple SSL question ??
    ... OK - i would also delete a cert request file lying around. ... But a certificate is a pub key + extra info. ... That said - if someone compromises the server he will also find a way to retrieve the private key. ... traffic between the initial web server and the client. ...
    (microsoft.public.dotnet.security)