question

Jiewei-4054 avatar image
0 Votes"
Jiewei-4054 asked Crypt32 commented

Create CSR file when installing Certificate Authority

If done via the GUI, there is an option to generate a csr request file141889-img3.png

However, when I try to install the certificate Authority via Powershell, there is no such option.
https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcscertificationauthority?view=windowsserver2019-ps

I resorted to using certreq -new to generate a new .req file from the following .inf file:

[newrequest]
Subject = "CN=mySubCA"
HashAlgorithm = sha256

, but when installing it via Powershell command (after approving and exporting it from Root CA)
Install-AdcsCertificationAuthority -CAType StandaloneSubordinateCA -CertFile C:\Users\Administrator\Desktop\cert.p7b , the following error is given: The data is invalid. 0x8007000d (WIN32: 13
ERROR_INVALID_DATA).

I'd like to know 1) Is it possible to create the p7b file before creating the Certificate Authority?
2) Is it possible to generate the csr request from Powershell alone?







windows-server-security
img3.png (73.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How it is not available in PowerShell? I clearly see that there is -OutputCertRequestFile parameter which allows you to save CSR in file.

0 Votes 0 ·
Jiewei-4054 avatar image
0 Votes"
Jiewei-4054 answered

The issue was indeed, not using the .p12/pfx file. However, issues will also arise should some of the settings clash between the rootCA and subordinateCA, e.g Provider information. Hope you guys will be able to release the entire list of default configuration on this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Jiewei-4054

I would recommend to check the next potential scenarios that usually lead to this error:

a) You copied the wrong CSR to the root CA and submitted it

b) You created the new CSR properly, copied it to the root CA but accidentally submitted the original CSR

c) You successfully submitted the new CSR, but accidently exported the old version of the CA certificate.

About your questions:
1) You will need the CA first
2) May need a bit of tweak depending in the Certification Authority, but normally I am using the next script (as example):

 Write-Host "Creating CertificateRequest(CSR) for $CertName `r "
 Invoke-Command -ComputerName testbox -ScriptBlock {
 $CertName = "newcert.contoso.com"
 $CSRPath = "c:\temp\$($CertName)_.csr"
 $INFPath = "c:\temp\$($CertName)_.inf"
 $Signature = '$Windows NT$' 
 $INF =
 @"
 [Version]
 Signature= "$Signature" 
 [NewRequest]
 Subject = "CN=$CertName, OU=Contoso East Division, O=Contoso Inc, L=Boston, S=Massachusetts, C=US"
 KeySpec = 1
 KeyLength = 2048
 Exportable = TRUE
 MachineKeySet = TRUE
 SMIME = False
 PrivateKeyArchive = FALSE
 UserProtected = FALSE
 UseExistingKeySet = FALSE
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 ProviderType = 12
 RequestType = PKCS10
 KeyUsage = 0xa0
 [EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.7.3.1 
 "@
 write-Host "Certificate Request is being generated `r "
 $INF | out-file -filepath $INFPath -force
 certreq -new $INFPath $CSRPath
 }
 write-output "Certificate Request has been generated"

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jiewei-4054 avatar image
0 Votes"
Jiewei-4054 answered Jiewei-4054 edited

Hi @LimitlessTechnology-2700

Thanks for the reply, however, I believe the error lies in using a .p7b file instead of a .p12 file, which contains the private key information while a p7b file does not, as above code does not work as well.
As part of the question however, given a .cer file obtained from the root CA, how do we obtain the private keys of the certificate signing request (csr) generated previously such that we can create the p12 file to use?
Do let me know if I'm correct

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.