Discussion:
CertReq and Subject Alternative Name
(too old to reply)
Dave W
2004-12-14 12:03:43 UTC
Permalink
Hi All,
Is there anyone out there who has experienced problems trying to insert
a subject alternative name into a certreq - new request.

The CA infrastructure is an enterprise issuing CA on Win2K3 Server EE,
my client (server) is Win2K3 Server Standard. The certificate template
is based upon the RAS and IAS Server template.

I am attempting to script the certificate request using a policy file
called isarequest.inf... my request therefore looks like:
certreq -New isarequest.inf isarequest.req

Please see below for contents of the isarequest.inf file.
[NewRequest]
PrivateKeyArchive = FALSE
Exportable = FALSE
KeyLength = 1024
MachineKeySet = TRUE
Subject="CN=ISA5.Management.Local"
[RequestAttributes]
CertificateTemplate = "CompanyISAVPNServer"
SAN = "dns=isa5.Management.local"

I have looked in the "advcert.mspx" reference and believe that I have
the correct syntax.

The problems / questions I have are thus...

Question 1
The certificate is not getting the SAN field populated, what am I doing
wrong?

Question 2
When I take the issued certificate and install it into the machine
certificate store on the target ISA server, I don't get a match to a
private key that corresponds to the certificate. I have moved the
certificate into both the user and machine certificate store and
neither works. I have tested the request without specifying the
"MachineKeySet" parameter and this works (I get a private key "match"),
but I am don't think that this is what I want because I want the
machine to be the owner, not the administrator account that submitted
the request. Any ideas?

Thanking you in advance,

Dave
Vishal Agarwal[MSFT]
2004-12-27 16:18:16 UTC
Permalink
Have you enabled:
"CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME" and then
restarted the CA service?

Also, how are you installing the certificate? Are you using
"certreq -accept"?

Thanks,
Vishal Agarwal[MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights
Post by Dave W
Hi All,
Is there anyone out there who has experienced problems trying to insert
a subject alternative name into a certreq - new request.
The CA infrastructure is an enterprise issuing CA on Win2K3 Server EE,
my client (server) is Win2K3 Server Standard. The certificate template
is based upon the RAS and IAS Server template.
I am attempting to script the certificate request using a policy file
certreq -New isarequest.inf isarequest.req
Please see below for contents of the isarequest.inf file.
[NewRequest]
PrivateKeyArchive = FALSE
Exportable = FALSE
KeyLength = 1024
MachineKeySet = TRUE
Subject="CN=ISA5.Management.Local"
[RequestAttributes]
CertificateTemplate = "CompanyISAVPNServer"
SAN = "dns=isa5.Management.local"
I have looked in the "advcert.mspx" reference and believe that I have
the correct syntax.
The problems / questions I have are thus...
Question 1
The certificate is not getting the SAN field populated, what am I doing
wrong?
Question 2
When I take the issued certificate and install it into the machine
certificate store on the target ISA server, I don't get a match to a
private key that corresponds to the certificate. I have moved the
certificate into both the user and machine certificate store and
neither works. I have tested the request without specifying the
"MachineKeySet" parameter and this works (I get a private key "match"),
but I am don't think that this is what I want because I want the
machine to be the owner, not the administrator account that submitted
the request. Any ideas?
Thanking you in advance,
Dave
Dave W
2004-12-28 08:52:57 UTC
Permalink
Vishal,
I hadn't enabled that setting, but I now know that it is necessary -
although documentation indiciated that this was only necessary for a
Win2K CA.

I have been using certreq -accept, and found that it was necessary to
change the request type to CMC, rather than the default PKCS10 -
without this change, I couldn't get the private key to match to the
certificate.

Thanks for you help.

Dave
Post by Vishal Agarwal[MSFT]
"CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME" and then
restarted the CA service?
Also, how are you installing the certificate? Are you using
"certreq -accept"?
Thanks,
Vishal Agarwal[MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights
Post by Dave W
Hi All,
Is there anyone out there who has experienced problems trying to insert
a subject alternative name into a certreq - new request.
The CA infrastructure is an enterprise issuing CA on Win2K3 Server EE,
my client (server) is Win2K3 Server Standard. The certificate template
is based upon the RAS and IAS Server template.
I am attempting to script the certificate request using a policy file
certreq -New isarequest.inf isarequest.req
Please see below for contents of the isarequest.inf file.
[NewRequest]
PrivateKeyArchive = FALSE
Exportable = FALSE
KeyLength = 1024
MachineKeySet = TRUE
Subject="CN=ISA5.Management.Local"
[RequestAttributes]
CertificateTemplate = "CompanyISAVPNServer"
SAN = "dns=isa5.Management.local"
I have looked in the "advcert.mspx" reference and believe that I have
the correct syntax.
The problems / questions I have are thus...
Question 1
The certificate is not getting the SAN field populated, what am I doing
wrong?
Question 2
When I take the issued certificate and install it into the machine
certificate store on the target ISA server, I don't get a match to a
private key that corresponds to the certificate. I have moved the
certificate into both the user and machine certificate store and
neither works. I have tested the request without specifying the
"MachineKeySet" parameter and this works (I get a private key "match"),
but I am don't think that this is what I want because I want the
machine to be the owner, not the administrator account that
submitted
Post by Vishal Agarwal[MSFT]
Post by Dave W
the request. Any ideas?
Thanking you in advance,
Dave
Loading...