Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, September 12, 2014 8:44 AM
We are running into an issue with our local AD CS implementation.
We are currently trying to provide certificates for our VMware vCenter setup and this requires multiple certificates all issued to the same server but for different services on the server.
VMware uses the OrganizationalUnitName property in the Subject attribute to distinguish between the different services.
The issue arises when the certificate has been issued, even though the request to the AD CS server includes the OrganizationalUnitName it doesn't appear on the certificate, but it does however appear in the Issued Organizational Unit column if we look at the Issued Certificates list in the AD CS service.
So it would appear that AD CS is receiving the request correctly but not adding it to the certificate.
The certificate template used is based on the standard Web Server template, with a few changes, the Key Usage has been updated with the following two options: Signature is proof of origin (nonrepudiation) and Allow encryption of user data. The Application Policies has been updated to include Client Authentication. The subject name is set to be supplied in the request.
Our AD CS setup is self-signed for internal purposes and running on Windows Server 2008 R2, which has been updated fully with Windows Update and the CA version is 6.1. The setup consists a root CA which is offline for security purposes and a intermediate CA which handles the requests.
Any help will be greatly appreciated.
All replies (12)
Wednesday, September 17, 2014 1:04 PM ✅Answered | 1 vote
Thanks. It seems that someone misconfigured your CA, so your CA will not put any RDN attribute except CN (common name), E (email) and DC (domain component). In order to fix this, you need to restore default subject template:
certutil -setreg ca\subjecttemplate "EMail\nCommonName\nOrganizationalUnit\nOrganizat
ion\nLocality\nState\nDomainComponent\nCountry\nUnstructuredName\nUnstructuredAddress\nDeviceSerialNumber"
and restart certificate service:
net stop certsvc && net start certsvc
or restart it from CA console and submit request again.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Friday, September 12, 2014 1:38 PM
can you show us, in what format you supply the subject? Any example?
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Friday, September 12, 2014 2:55 PM
Or even better, can you share your request file for review?
certutil -dump <requestfile>
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.
Tuesday, September 16, 2014 12:15 PM
Sorry for the lack of response on my part, messed up the alerts for the thread.
The request file, with identifying information removed looks like this:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = IP:<IPAddress>, DNS:<shortServerName>, DNS:<FQDN>
[ req_distinguished_name ]
countryName = <countryCode>
stateOrProvinceName = <region>
localityName = <city>
0.organizationName = <companyName>
organizationalUnitName = vCenterSSO-<shortServerName>
commonName = <FQDN>
Tuesday, September 16, 2014 12:19 PM
> The request file, with identifying information removed looks like this:
is this the OpenSSL dump? I would prefer certutil equivalent: certutil -dump reqfilename.req
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Tuesday, September 16, 2014 1:10 PM
Here we go, from certutil
PKCS10 Certificate Request:
Version: 1
Subject:
CN=<FQDN>
OU=vCenterSSO-<shortServerName>
O=<companyName>
L=<city>
S=<region>
C=<countryCode>
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
...
Request Attributes: 1
1 attributes:
Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[0][0]:
Unknown Attribute type
Certificate Extensions: 4
2.5.29.19: Flags = 0, Length = 2
Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment (b0)
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
2.5.29.17: Flags = 0, Length = 20
Subject Alternative Name
IP Address=<IPAddress>
DNS Name=<shortServerName>
DNS Name=<FQDN>
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
...
Signature matches Public Key
Key Id Hash(rfc-sha1): ...
Key Id Hash(sha1): ...
Tuesday, September 16, 2014 1:20 PM
from what I see, your request is composed properly and OU RDN attribute should appear in an issued certificate. What subject name you see in the issued certificate?
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Tuesday, September 16, 2014 1:23 PM
> What subject name you see in the issued certificate?
The subject name only contains: CN = <FQDN>
Tuesday, September 16, 2014 3:04 PM
Are other RDN attributes missing from the issued certificate? Or only OU is missing?
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Tuesday, September 16, 2014 6:11 PM
can you show us the following output:
certutil –getreg CA\SubjectTemplate
This command must be launched on CA server.
In addition, we would like to see verbose request dump:
certutil -v -dump certrequestfile.req
when obscuring names, try to not use brackets (<>), do not remove any special character in the subject and obcured value length must be the same as original. Simply talking, you can replace regular (non-special) characters with 'x' character.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Wednesday, September 17, 2014 12:48 PM
> Are other RDN attributes missing from the issued certificate? Or only OU is missing?
All other RDN attributes other than CN are missing from the issued certificate.
The output of the certutil –getreg CA\SubjectTemplate command is the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA\SubjectTemplate:
SubjectTemplate REG_MULTI_SZ =
0: EMail
1: CommonName
2: DomainComponent
So it would appear that there are some missing components in the registry key.
The output of the verbose dump is:
PKCS10 Certificate Request:
Version: 1
Subject:
CN=xxxxx.xxxxx.xxx
OU=vCenterSSO-xxxxx
O=xxxx xxxxx x/x
L=Xxxxxxxx
S=xxxxxx xxxxxxxxxxx
C=xx
[0,0]: CERT_RDN_PRINTABLE_STRING, Length = 2 (2/2 Characters)
2.5.4.6 Country/Region (C)="xx"
44 4b xx
44 00 4b 00 x.x.
[1,0]: CERT_RDN_PRINTABLE_STRING, Length = 18 (18/128 Characters)
2.5.4.8 State Or Province (S)="xxxxxx xxxxxxxxxxx"
52 65 67 69 6f 6e 20 48 6f 76 65 64 73 74 61 64 xxxxxx xxxxxxxxx
65 6e xx
52 00 65 00 67 00 69 00 6f 00 6e 00 20 00 48 00 x.x.x.x.x.x. .x.
6f 00 76 00 65 00 64 00 73 00 74 00 61 00 64 00 x.x.x.x.x.x.x.x.
65 00 6e 00 x.x.
[2,0]: CERT_RDN_PRINTABLE_STRING, Length = 8 (8/128 Characters)
2.5.4.7 Locality (L)="Xxxxxxxx"
42 61 6c 6c 65 72 75 70 Xxxxxxxx
42 00 61 00 6c 00 6c 00 65 00 72 00 75 00 70 00 x.x.x.x.x.x.x.x.
[3,0]: CERT_RDN_PRINTABLE_STRING, Length = 15 (15/64 Characters)
2.5.4.10 Organization (O)="xxxx xxxxx x/x"
47 61 76 64 69 20 47 72 6f 75 70 20 41 2f 53 xxxx xxxxx x/x
47 00 61 00 76 00 64 00 69 00 20 00 47 00 72 00 x.x.x.x.x. .x.x.
6f 00 75 00 70 00 20 00 41 00 2f 00 53 00 x.x.x. .x./.x.
[4,0]: CERT_RDN_PRINTABLE_STRING, Length = 16 (16/64 Characters)
2.5.4.11 Organizational Unit (OU)="vCenterSSO-xxxxx"
76 43 65 6e 74 65 72 53 53 4f 2d 76 67 30 30 31 vCenterSSO-xxxxx
76 00 43 00 65 00 6e 00 74 00 65 00 72 00 53 00 v.C.e.n.t.e.r.S.
53 00 4f 00 2d 00 76 00 67 00 30 00 30 00 31 00 S.O.-.x.x.x.x.x.
[5,0]: CERT_RDN_PRINTABLE_STRING, Length = 15 (15/64 Characters)
2.5.4.3 Common Name (CN)="xxxxx.xxxxx.xxx"
76 67 30 30 31 2e 67 61 76 64 69 2e 6e 65 74 xxxxx.xxxxx.xxx
76 00 67 00 30 00 30 00 31 00 2e 00 67 00 61 00 x.x.x.x.x...x.x.
76 00 64 00 69 00 2e 00 6e 00 65 00 74 00 x.x.x...x.x.x.
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
.......
Request Attributes: 1
1 attributes:
Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[0][0]:
Unknown Attribute type
Certificate Extensions: 4
2.5.29.19: Flags = 0, Length = 2
Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
0000 30 00 0.
0000: 30 00 ; SEQUENCE (0 Bytes)
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment (b0)
0000 03 02 04 b0 ....
0000: 03 02 ; BIT_STRING (2 Bytes)
0002: 04
0003: b0
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
0000 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 0...+.........+.
0010 01 05 05 07 03 02 ......
0000: 30 14 ; SEQUENCE (14 Bytes)
0002: 06 08 ; OBJECT_ID (8 Bytes)
0004: | 2b 06 01 05 05 07 03 01
| ; 1.3.6.1.5.5.7.3.1 Server Authentication
000c: 06 08 ; OBJECT_ID (8 Bytes)
000e: 2b 06 01 05 05 07 03 02
; 1.3.6.1.5.5.7.3.2 Client Authentication
2.5.29.17: Flags = 0, Length = 20
Subject Alternative Name
IP Address=xxx.xxx.xxx.xxx
DNS Name=xxxxx
DNS Name=xxxxx.xxxxx.xxx
AltName: 3 entries:
AltName[0] CERT_ALT_NAME_IP_ADDRESS:
0000 ac 16 00 0b ....
AltName[1] CERT_ALT_NAME_DNS_NAME: "xxxxx"
AltName[2] CERT_ALT_NAME_DNS_NAME: "xxxxx.xxxxx.xxx"
0000 30 1e 87 04 ac 16 00 0b 82 05 76 67 30 30 31 82 0.........xxxxx.
0010 0f 76 67 30 30 31 2e 67 61 76 64 69 2e 6e 65 74 .xxxxx.xxxxx.xxx
0000: 30 1e ; SEQUENCE (1e Bytes)
0002: 87 04 ; CONTEXT_SPECIFIC[7] (4 Bytes)
0004: | ac 16 00 0b ; ....
0008: 82 05 ; CONTEXT_SPECIFIC[2] (5 Bytes)
000a: | 76 67 30 30 31 ; xxxxx
000f: 82 0f ; CONTEXT_SPECIFIC[2] (f Bytes)
0011: 76 67 30 30 31 2e 67 61 76 64 69 2e 6e 65 74 ; xxxxx.xxxxx.xxx
0000 30 60 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 0`0...U....0.0..
0010 03 55 1d 0f 04 04 03 02 04 b0 30 1d 06 03 55 1d .U........0...U.
0020 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 %..0...+........
0030 08 2b 06 01 05 05 07 03 02 30 27 06 03 55 1d 11 .+.......0'..U..
0040 04 20 30 1e 87 04 ac 16 00 0b 82 05 76 67 30 30 . 0.........xxxx
0050 31 82 0f 76 67 30 30 31 2e 67 61 76 64 69 2e 6e x..xxxxx.xxxxx.x
0060 65 74 xx
0000: 30 60 ; SEQUENCE (60 Bytes)
0002: 30 09 ; SEQUENCE (9 Bytes)
0004: | 06 03 ; OBJECT_ID (3 Bytes)
0006: | | 55 1d 13
| | ; 2.5.29.19 Basic Constraints
0009: | 04 02 ; OCTET_STRING (2 Bytes)
000b: | 30 00 ; SEQUENCE (0 Bytes)
000d: 30 0b ; SEQUENCE (b Bytes)
000f: | 06 03 ; OBJECT_ID (3 Bytes)
0011: | | 55 1d 0f
| | ; 2.5.29.15 Key Usage
0014: | 04 04 ; OCTET_STRING (4 Bytes)
0016: | 03 02 ; BIT_STRING (2 Bytes)
0018: | 04
0019: | b0
001a: 30 1d ; SEQUENCE (1d Bytes)
001c: | 06 03 ; OBJECT_ID (3 Bytes)
001e: | | 55 1d 25
| | ; 2.5.29.37 Enhanced Key Usage
0021: | 04 16 ; OCTET_STRING (16 Bytes)
0023: | 30 14 ; SEQUENCE (14 Bytes)
0025: | 06 08 ; OBJECT_ID (8 Bytes)
0027: | | 2b 06 01 05 05 07 03 01
| | ; 1.3.6.1.5.5.7.3.1 Server Authentication
002f: | 06 08 ; OBJECT_ID (8 Bytes)
0031: | 2b 06 01 05 05 07 03 02
| ; 1.3.6.1.5.5.7.3.2 Client Authentication
0039: 30 27 ; SEQUENCE (27 Bytes)
003b: 06 03 ; OBJECT_ID (3 Bytes)
003d: | 55 1d 11
| ; 2.5.29.17 Subject Alternative Name
0040: 04 20 ; OCTET_STRING (20 Bytes)
0042: 30 1e ; SEQUENCE (1e Bytes)
0044: 87 04 ; CONTEXT_SPECIFIC[7] (4 Bytes)
0046: | ac 16 00 0b ; ....
004a: 82 05 ; CONTEXT_SPECIFIC[2] (5 Bytes)
004c: | 76 67 30 30 31 ; xxxxx
0051: 82 0f ; CONTEXT_SPECIFIC[2] (f Bytes)
0053: 76 67 30 30 31 2e 67 61 76 64 69 2e 6e 65 74 ; xxxxx.xxxxx.xxx
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
.......
Signature matches Public Key
Key Id Hash(rfc-sha1): ......
Key Id Hash(sha1): .......
Wednesday, September 17, 2014 1:18 PM
That did the trick, thank you very much for all your help.