Guest Ron Proschan Posted December 30, 2008 Posted December 30, 2008 We're trying to enable LDAP over SSL, using Microsoft Article 321051 and our own Windows 2003 Server CA. I use the inf model in that article, and when we do the certreq -new request.inf etc., we get: "The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template." If we add [RequestAttributes] CertificateTemplate = DomainControllerAuthentication we get: "The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-214875377) Denied by Policy Module." If we add SAN="dns=[servername].local" we get the same error again. Does anyone have any idea what we're doing wrong? Thanks very much in advance. Ron Proschan Quote
Guest Chipeater Posted January 1, 2009 Posted January 1, 2009 It may be worth running the following command, then restart the CA service and try your scripted certificate request again. CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 I seem to remember that scripted certificate requests which include a SAN don't work on a Win2K3 CA without this setting. Hope it helps, if not, you'll have to provide more information about your request.inf file. Quote
Guest Ron Proschan Posted January 2, 2009 Posted January 2, 2009 Thanks for the comments. I just tried what you suggested, but I'm still getting the "The DNS name is unavailable and cannot be added to the Subject Alternate name" message. Besides KB 32105, I'm using the reqdccert.vbs script from technet article 783835. I'm getting an inf file like this: [Version] Signature= "$Windows NT$" [NewRequest] [sometimes I get a subject name here, sometimes I add a subject name here, sometimes I leave it blank -- results are the same] KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 ; ; The subject alternative name (SAN) can be included in the INF-file ; for a Windows 2003 CA. ; You don't have to specify the SAN when submitting the request. ; [Extensions] 2.5.29.17=MDqCF3dpbjJrMy51Y2hhc3RpbmdzLmxvY2FsoB8GCSsGAQQBgjcZAaASBBChcBgd _continue_=Gd6HTbcu3U5uMb42 Critical=2.5.29.17 ; ; The template name can be included in the INF-file for any CA. ; You don't have to specify the template when submitting the request. ; ;[RequestAttributes] ;CertificateTemplate=DomainController Thanks, Ron. "Chipeater" wrote: <span style="color:blue"> > It may be worth running the following command, then restart the CA > service and try your scripted certificate request again. > > CERTUTIL -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 > > I seem to remember that scripted certificate requests which include a > SAN don't work on a Win2K3 CA without this setting. > > Hope it helps, if not, you'll have to provide more information about > your request.inf file. > </span> Quote
Guest Chipeater Posted January 3, 2009 Posted January 3, 2009 Try with this one... I know it works for me... [Version] Signature = "$Windows NT$" [NewRequest] EncipherOnly = FALSE Exportable = FALSE KeyLength = 1024 KeySpec = 1 MachineKeySet = TRUE PrivateKeyArchive = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC Silent = TRUE Subject = "CN=DC1" UseExistingKeySet = FALSE UserProtected = FALSE [RequestAttributes] CertificateTemplate = "DomainController " SAN = "dns=DC1.test.local" Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.