Discussion:
Signing an OpenSSL CSR with Microsoft Certificate Authority
(too old to reply)
Dave Morrow
2005-07-24 14:33:50 UTC
Permalink
I am attempting to sign an OpenSSL generated CSR with Microsoft
Certification Authority.

I generated the CSR using the instructions the instructions on the Apache
website and successfully got the CSR. When I attempt to sign the CSR using
Microsoft's Certificate Authority, I get the error "The request contains no
certificate template information."

Does anyone know how to do this?
S. Pidgorny <MVP>
2005-07-25 09:08:53 UTC
Permalink
Better use Web interface or certreq.exe to request the cert. I'm most
certain that the enterprise CA Web interface allows to select template for a
request.

If you'd like to have the whole lot done by OpenSSL - you can do that too.
As usually, documentation is largely missing and some assembly required but
here's the deal:

* You can add the template name to the request - it is an attribute with OID
1.3.6.1.4.1.311.20.2
* Openssl allows to add optional attributes in the request configuration
file. See req man page for details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
Post by Dave Morrow
I am attempting to sign an OpenSSL generated CSR with Microsoft
Certification Authority.
I generated the CSR using the instructions the instructions on the Apache
website and successfully got the CSR. When I attempt to sign the CSR using
Microsoft's Certificate Authority, I get the error "The request contains no
certificate template information."
Does anyone know how to do this?
Dave Morrow
2005-07-25 13:40:54 UTC
Permalink
Thanks for the reply.

I'll have to look into how to add the appropriate information to the CSR
with OpenSSL. I've already tried using the web interface with the same
results (no template).
Post by S. Pidgorny <MVP>
Better use Web interface or certreq.exe to request the cert. I'm most
certain that the enterprise CA Web interface allows to select template for a
request.
If you'd like to have the whole lot done by OpenSSL - you can do that too.
As usually, documentation is largely missing and some assembly required but
* You can add the template name to the request - it is an attribute with OID
1.3.6.1.4.1.311.20.2
* Openssl allows to add optional attributes in the request configuration
file. See req man page for details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
Post by Dave Morrow
I am attempting to sign an OpenSSL generated CSR with Microsoft
Certification Authority.
I generated the CSR using the instructions the instructions on the Apache
website and successfully got the CSR. When I attempt to sign the CSR using
Microsoft's Certificate Authority, I get the error "The request contains
no
Post by Dave Morrow
certificate template information."
Does anyone know how to do this?
Sebastian Rieger
2005-07-25 19:44:36 UTC
Permalink
Using the web enrollment pages you can simply supply the attribute in
the "Additional Attributes" text field. Just use:

CertificateTemplate: <template_name>

If you need it more regulary, you can extend the web enrollment pages,
like e.g. http://user-ca.mpg.de/request/certrqxt.asp?reqmode=1.

MfG

Sebastian Rieger
Post by Dave Morrow
Thanks for the reply.
I'll have to look into how to add the appropriate information to the CSR
with OpenSSL. I've already tried using the web interface with the same
results (no template).
Post by S. Pidgorny <MVP>
Better use Web interface or certreq.exe to request the cert. I'm most
certain that the enterprise CA Web interface allows to select template for a
request.
If you'd like to have the whole lot done by OpenSSL - you can do that too.
As usually, documentation is largely missing and some assembly required but
* You can add the template name to the request - it is an attribute with OID
1.3.6.1.4.1.311.20.2
* Openssl allows to add optional attributes in the request configuration
file. See req man page for details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
Post by Dave Morrow
I am attempting to sign an OpenSSL generated CSR with Microsoft
Certification Authority.
I generated the CSR using the instructions the instructions on the Apache
website and successfully got the CSR. When I attempt to sign the CSR using
Microsoft's Certificate Authority, I get the error "The request contains
no
Post by Dave Morrow
certificate template information."
Does anyone know how to do this?
Loading...