Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req

Hi I suppose that this is your problem:

according to certutil -dump request.txt this is what shows up

<snip>
Certificate Extensions: 2
2.5.29.37: Flags = 0, Length = 3c
Enhanced Key Usage
Unknown Extension type

0000 54 4c 53 20 57 65 62 20 53 65 72 76 65 72 20 41 TLS Web Server A
0010 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 2c 20 54 uthentication, T
0020 4c 53 20 57 65 62 20 43 6c 69 65 6e 74 20 41 75 LS Web Client Au
0030 74 68 65 6e 74 69 63 61 74 69 6f 6e thentication

2.5.29.15: Flags = 0, Length = 34
Key Usage
Unknown Extension type

0000 44 69 67 69 74 61 6c 20 53 69 67 6e 61 74 75 72 Digital Signatur
0010 65 2c 20 4e 6f 6e 20 52 65 70 75 64 69 61 74 69 e, Non Repudiati
0020 6f 6e 2c 20 4b 65 79 20 45 6e 63 69 70 68 65 72 on, Key Encipher
0030 6d 65 6e 74 ment
<snip>

The trouble is "Unknown Extension Type".

The Enhanced Key Usage should be a sequence of OID rather than a string.

Key Usage is specified as a bit string. Each bit represents different key usage.

keyUsage EXTENSION ::= {
SYNTAX KeyUsage
IDENTIFIED BY id-ce-keyUsage }
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }

For example if you want to have key usage digital signature, non repudiation, key encipherment you need to set digitalsignature bit (0) to 1, nonRepudiation bit (1) to 1 and key encipherment bit (2) to 1.

I'm not very familiar with openssl but I suppose you're mixing "req_extensions" with "attributes". Here is what worked for me.

To generate an OpenSSL request I used:

openssl req -new -config file.cfg -out request.txt

And file.cfg is here:

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
output_password = 1234

[ req_distinguished_name ]
C = GB
ST = Test State or Province
L = Test Locality
O = Organization Name
OU = Organizational Unit Name
CN = Common Name
emailAddress = test@xxxxxxxxxxxxx

[ req_ext ]
keyUsage=digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage=serverAuth, clientAuth

Another alternative how to generate a request from command line is certreq utility. You can find more info about requesting with certreq here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

HTH

Regards

Martin


matt.kerr@xxxxxxxxx wrote:
> On Jun 5, 2:18 am, Martin Rublik <martin.rub...@xxxxxxxxxx> wrote:
>> Hi,
>>
>> what kind of CA are you using? Is it standalone CA or enterprise CA?
>> Could you please post a test PKCS#10 base 64 encoded request that is
>> failing?
>>
>> Regards
>>
>> Martin
>
> I'm using a stand-alone CA. Here is an example request made in
> OpenSSL. I'm thinking it may have to do with ASN.1 formatting and the
> use of the OpenSSL API. Our situation demands we can't use the
> command line utility in OpenSSL to make the requests, so I'm looking
> at the following page: http://msdn2.microsoft.com/en-US/library/aa379076.aspx
>
> and using Peter Guttman's dumpasn1 utility to view the binary
> requests:
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
> http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIB+DCCAWECAQAwIzEhMB8GA1UEAxMYVy1TTllERVJSMi5oZS5hZC5pZ3QuY29t
> MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCrjSkTSyIJ5Hj+Q+PhWdjbU8T9
> SVmhjm0CMP7DM+29u4GqKabXeeDDG2l1mkwYpLcdaUMHvjGtG6V70jqdro7BTfVu
> OS+5joX0l634NlcZtLnZj+YrllBwKtoCA9SDIPsxgha5SfEy0Zg/6+6e3MOqcCA2
> F+xByquB5YE+oamzwwIBEaCBljCBkwYJKoZIhvcNAQkOMYGFMIGCMEMGA1UdJQQ8
> VExTIFdlYiBTZXJ2ZXIgQXV0aGVudGljYXRpb24sIFRMUyBXZWIgQ2xpZW50IEF1
> dGhlbnRpY2F0aW9uMDsGA1UdDwQ0RGlnaXRhbCBTaWduYXR1cmUsIE5vbiBSZXB1
> ZGlhdGlvbiwgS2V5IEVuY2lwaGVybWVudDANBgkqhkiG9w0BAQUFAAOBgQBrU7iV
> Qt2htqH2z1Zk59oXFEAHB6P0Vg8I2VP2NXTPfh1nV8v87o08W1VqrjQb/eVEutNA
> ILCcCJm56D3MBUI7e0IMkRoO2EDPqIr9mhcxkxqv5sjfmtTS2FRLHS2IHZtMYxUb
> zzReVz2s5ctNuQ9lIFSB/nv/zpWFYRvRXCFrDA==
> -----END CERTIFICATE REQUEST-----
>
.

Relevant Pages