Announcement

Collapse
No announcement yet.

Can I sign a plain-old CSR?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can I sign a plain-old CSR?

    I have a Linux-based appliance, and I want my Windows Enterprise CA (Server 2008 R2) to issue it a certificate. So I generated a CSR and copied it over to my CA. However when I right-click the CA, say All Tasks > Submit New Request, and select the CSR, I receive the error that it can't process it since it doesn't have a template..

    Can I sign a plain-old CSR? Here's the event.

    Log Name: Application
    Source: Microsoft-Windows-CertificationAuthority
    Date: 6/16/2010 10:32:52 AM
    Event ID: 53
    Task Category: None
    Level: Warning
    Keywords: Classic
    User: SYSTEM
    Computer: a.b.blah.net
    Description:
    Active Directory Certificate Services denied request 9 because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for { certificate DN here }. Additional information: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

  • #2
    Re: Can I sign a plain-old CSR?

    this should work...
    http://fixunix.com/openssl/506591-ho...e-openssl.html
    Last edited by Dumber; 17th June 2010, 06:49. Reason: wrong link...
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Can I sign a plain-old CSR?

      Ok..
      Are you suggesting I use OpenSSL? I was hoping to sign this with my existing CA, since that's the one that all my desktops and servers trust as Enterprise Root. Otherwise I might as well keep using Self signed certs on my systems

      I guess I might have to RTFM heh...

      Comment


      • #4
        Re: Can I sign a plain-old CSR?

        no, I meant that generating a certificate using OpenSSL againt the current PKI might work.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Can I sign a plain-old CSR?

          Got it, that's a good idea. However this particular "appliance" requires that you use the built-in app to generate certificates.. OpenSSL would probably not be supported.

          Comment


          • #6
            Re: Can I sign a plain-old CSR?

            You should be able to sign it using the Certificate Service Web Enrollment Support site if you installed it.

            On your CA just browse to http://localhost/certsrv/, select Request a Certificate, then Submit a certificate request using a base-64 encoded PKCS #10 file.

            The web form gives you the option to select a template to use, whereas the MMC expects it to be supplied in the request.

            http://support.microsoft.com/kb/910249

            Comment

            Working...
            X