HowTo: Use certreq.exe with a smartcard enrollment agent
I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say - what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok ... use MSN Search or at least try it before google and give it a chance)
I was looking through some newsgroup posts and found this:
https://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0108.html
The basic problem as described in the post is:
I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?
I am getting this error. Below is the inf file used.
Thanks!
C:\>certreq test.inf
certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)
1401.1715.0: 0x8009310b (ASN: 267)
1401.2150.0: 0x8009310b (ASN: 267)
1401.2647.0: 0x8009310b (ASN: 267)
1401.6903.0: 0x8009310b (ASN: 267)
1401.7080.0: 0x8009310b (ASN: 267)
Certificate Request Processor: ASN1 bad tag value met.
0x8009310b (ASN:
Before we begin.. a few notes:
1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it......
2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo
Anywho....
Here is how one would do this - or at least how I would do it ;oP
- By default, a Windows 2003 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs. So do this from a command line:
CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Then cycle the certificate services.
- Create an INF file which looks like this:
[Version]
Signature= "$Windows NT$"
[NewRequest]
KeySpec = 1
KeyUsage = 0x30
Providertype = 1
RequesterName = Crisco0\Administrator
RequestType = CMC
ProviderName = "Gemplus GemSAFE Card CSP"
Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"
KeyContainer = "SCTEST"
KeyLength = 512
[RequestAttributes]
CertificateTemplate = SpatsSmartCard
Where:
CertificateTemplate == name of custom V2 template
ProviderName == CSP needed
RequesterName == name of enrollment agent logged in and has enrollment cert.
See https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
for more info on the syntax
- Modify the V2 template in the Subject Name tab – so we can provide the Subject in the request.
- Publish the template to your Enterprise CA
- From your enrollment station do the following:
C:\certutil>certreq -new inf.txt inf.req
(PROMPTED FOR PIN - ENTER PIN)
C:\certutil>certreq -sign inf.req inf_signed.req
(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)
C:\certutil>certreq -attrib "SAN:upn=sctest@crisco.com" -submit inf_signed.req inf_cert.cer
RequestId: 57
Certificate retrieved(Issued) Issued
C:\certutil>certreq -accept inf_cert.cer
(PROMPTED FOR PIN - ENTER PIN)
Now logon with the smartcard and you should logon as the user specified in the UPN you provided.
Have fun!
Spat