Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gen'd cert req



On Jun 6, 1:01 am, Martin Rublik <martin.rub...@xxxxxxxxxx> wrote:
Hi I suppose that this is your problem:

according to certutil -dump request.txt this is what shows up

<snip>

The trouble is "Unknown Extension Type".

The Enhanced Key Usage should be a sequence of OID rather than a string.

Key Usage is specified as a bit string. Each bit represents different key usage.

Yes, you are absolutely correct. I realized that we were building the
certificate request in OpenSSL incorrectly, and it was causing the
output to be incorrect. By referencing the Apple Darwin OpenSSL
documentation and the O'Reilly book "Network Security with
OpenSSL" (chapter 3 and 10) we got all the flag names we needed and
built the extensions properly on the request.

.



Relevant Pages

  • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
    (microsoft.public.windows.server.security)
  • Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... Enhanced Key Usage ... Unknown Extension type ... I'm not very familiar with openssl but I suppose you're mixing "req_extensions" with "attributes". ... Another alternative how to generate a request from command line is certreq utility. ...
    (microsoft.public.windows.server.security)