HowTo: Use certreq.exe with a smartcard enrollment agent

  • Article

 

I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say - what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok ... use MSN Search or at least try it before google and give it a chance)

 

I was looking through some newsgroup posts and found this:

https://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0108.html

The basic problem as described in the post is:

I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?

I am getting this error. Below is the inf file used.

Thanks!

C:\>certreq test.inf

certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)

1401.1715.0: 0x8009310b (ASN: 267)

1401.2150.0: 0x8009310b (ASN: 267)

1401.2647.0: 0x8009310b (ASN: 267)

1401.6903.0: 0x8009310b (ASN: 267)

1401.7080.0: 0x8009310b (ASN: 267)

Certificate Request Processor: ASN1 bad tag value met.

0x8009310b (ASN:

 

Before we begin.. a few notes:

 

1. Some have noted my grammar is horrid - yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it......

2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo

Anywho....

Here is how one would do this - or at least how I would do it ;oP

  1. By default, a Windows 2003 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs. So do this from a command line:

            CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Then cycle the certificate services.

  1. Create an INF file which looks like this:

[Version]

Signature= "$Windows NT$"

[NewRequest]

KeySpec = 1

KeyUsage = 0x30

Providertype = 1

RequesterName = Crisco0\Administrator

RequestType = CMC

ProviderName = "Gemplus GemSAFE Card CSP"

Subject = "CN=sctest,ou=SAFER,DC=crisco,DC=com"

KeyContainer = "SCTEST"

KeyLength = 512

[RequestAttributes]

CertificateTemplate = SpatsSmartCard

Where:

CertificateTemplate == name of custom V2 template

ProviderName == CSP needed

RequesterName == name of enrollment agent logged in and has enrollment cert.

See https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

for more info on the syntax

  1. Modify the V2 template in the Subject Name tab – so we can provide the Subject in the request.
  1. Publish the template to your Enterprise CA
  1. From your enrollment station do the following:

C:\certutil>certreq -new inf.txt inf.req

(PROMPTED FOR PIN - ENTER PIN)

C:\certutil>certreq -sign inf.req inf_signed.req

(PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE)

C:\certutil>certreq -attrib "SAN:upn=sctest@crisco.com" -submit inf_signed.req inf_cert.cer

RequestId: 57

Certificate retrieved(Issued) Issued

C:\certutil>certreq -accept inf_cert.cer

(PROMPTED FOR PIN - ENTER PIN)

Now logon with the smartcard and you should logon as the user specified in the UPN you provided.

 

 

Have fun!

Spat