In our PKI environment there are some templates that require an additional signature from authorized personnel ("This number of authorized signatures: 1" etc.) which works very well.
A requirement we have now confronted with, is that certificate request from external sources shall be allowed (after proper exmination).
My problem is, that i cant find a solution to additionally sign those CSR to fulfill the requirement for those templates, which require being singed with a certificate with a custom application policy for the authorized personnel.
I tried using "certreq.exe" with the "sign" parameter as pointed out on several websites. This always fails with the error message "The data is invalid".
Another suggestion was to use a relative empty "policy.inf" file containing nothing but "Signature="$Winows NT$" and then using "certreq.exe" with the "policy" and "cert" switch. Since this seems only to work for signing certificates which contain the "Certifcate Request Agent" application policy it seems that im stuck.
Is there any way to manually sign a CSR so that it will be accepted from a Microsoft CA for a template which requires that specific additional signature?
Regards,
Peter