question

Peter-1841 avatar image
0 Votes"
Peter-1841 asked Peter-1841 answered

ADCS - Manually signing a CSR (authorized signatures)

In our PKI environment there are some templates that require an additional signature from authorized personnel ("This number of authorized signatures: 1" etc.) which works very well.
A requirement we have now confronted with, is that certificate request from external sources shall be allowed (after proper exmination).

My problem is, that i cant find a solution to additionally sign those CSR to fulfill the requirement for those templates, which require being singed with a certificate with a custom application policy for the authorized personnel.

I tried using "certreq.exe" with the "sign" parameter as pointed out on several websites. This always fails with the error message "The data is invalid".
Another suggestion was to use a relative empty "policy.inf" file containing nothing but "Signature="$Winows NT$" and then using "certreq.exe" with the "policy" and "cert" switch. Since this seems only to work for signing certificates which contain the "Certifcate Request Agent" application policy it seems that im stuck.

Is there any way to manually sign a CSR so that it will be accepted from a Microsoft CA for a template which requires that specific additional signature?

Regards,
Peter

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Peter-1841 avatar image
0 Votes"
Peter-1841 answered

OK, i managed to partially resolve my problem utilizing COM-objects whithin PowerShell.
Partially because in our current implementation we require for the issuance of certificates from our templates, that the signed request must be signed by a certificate with a custom application policy AND must have a specific issuance policy.

The latter seems to be ignored or not usable using my current solution, but changing the requirement to only check for a specific application policy in the signing certificate works.

So i will close my Question for being partially answered.

Heres the "code" i used to sign my request, if anyone might come acros the same issue/question (this code requires/uses base64 encoding, check MSDN if you require other formats etc.) :

$certThumbprint = "......"

$signerCertificate = New-Object -ComObject X509Enrollment.CSignerCertificate
$signerCertificate.Initialize(0,4,4,$certThumbprint)

$pkcs10Request = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$pkcs10Request.InitializeDecode((Get-Content C:\Path\To\Request.req),6)

$cmcRequest = New-Object -ComObject X509Enrollment.CX509CertificateRequestCmc
$cmcRequest.InitializeFromInnerRequest($pkcs10Request)
$cmcRequest.SignerCertificates.Add($signerCertificate)
$cmcRequest.Encode()
$cmcRequest.RawData() | Set-Content "C:\Path\To\SignedRequest.req"

Example for submitting the request (which could also be done through COM-Objects ... but you get the idea):
certreq.exe -submit -attrib "CertificateTemplate:Org_TemplateName" -clientcertificate $certThumbprint -adminforcemachine -config https://ces.fqdn.tld/CAUrl/service.svc/CES "C:\Path\To\SignedRequest.req" "C:\Path\To\Response.cer"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Peter-1841 published

Hello Peter,

Graphical user interface:

Open a browser and go to the IP address of the Microsoft certificate server.
Click Request a certificate.

On the Request a certificate page, click advanced certificate request.
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR file you downloaded from Enterprise Threat Protector.
In the Certificate Template list, select Subordinate Certificate Authority.

Click Submit.
On the Certificate Issued page, select Base 64 encoded.
Click Download certificate and save the certificate to a secure location.



Command line interface
How to
On the Microsoft certificate server, open a command prompt and run it as an administrator.
Enter this command:
certreq -submit -attrib “CertificateTemplate:SubCA” <certificateSigningRequest.csr>
where <certificateSigningRequest.csr> is the certificate signing request you generated

The Certification Authority List dialog appears.

Select the Certificate Authority (CA) that you want to sign the request and click OK.
Save the certificate as a .der file.

Luis P

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Luis,

thank you for your input.
Our Microsoft CAs do not provide the certificate website due to security restrictions. Additionally all requests shall be submitted via CEP/CES.

However the command line interface to submit the request is exactly the way we will submit the request (either via "Get-Certificate" or "certreq.exe).
But since the CSR is not signed by a trusted entity and has to be submitted for a template which requires an additional specific signature (so we have to submit a CMC which contains the original PKCS10, the signing certificate and the signature which will then be validated by the CA) our CAs deny the submitted request.

So before submitting the request, which is provided by a foreign entity [ yes it will be evaluated before signing and submitting ;-) ], we have to sign the request. After that we should be able to submit the request as you have pointed out.

Currently im attempting to achieve this signature with COM objects within PowerShell, but i am not very confident in being succesful.
However i might be most likely wrong in my understanding. So any help pointing me into the right direction is much appreciated.

Peter

0 Votes 0 ·