Hello,
I need to issue certificate with this Key Usage: Digital Signature, Key Encipherment, Key Agreement (a8)
The request is OK but the Key Agreement (a8) does not appear in the issued certificate
Gal
CSR key usage is overriden by the CA template
June 8th, 2015 8:53am
Did you set the certificate template to define key usage as you require?
Sounds like (based on the title) that you are attempting to thwart the certificate template settings. You will need to work with the PKI team to create a certificate template that meets your needs
Brian
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 11:57am
I chose web server and picked the required key usage using the extension But never got the required digital Signature, Key Encipherment, Key Agreement (a8)
June 8th, 2015 12:45pm
Again, that will not work. The Web Server certificate template has a specific Key Usage configured, and you cannot override it during a request. As stated earlier, someone with privileges in the network will have to duplicate the Web server certificate template, and set the Key Usage that you wish. In addition, permissions must be set to allow either you or the computer account (you are not clear on where this is going) the Read and Enroll permissions.
Brian
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 2:05pm
Did you set the certificate template to define key usage as you require?
Sounds like (based on the title) that you are attempting to thwart the certificate template settings. You will need to work with the PKI team to create a certificate template that meets your needs
Brian
June 8th, 2015 3:54pm
Did you set the certificate template to define key usage as you require?
Sounds like (based on the title) that you are attempting to thwart the certificate template settings. You will need to work with the PKI team to create a certificate template that meets your needs
Brian
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 3:54pm
I have the rights and changes the key usage but never got the desire result of
digital Signature, Key Encipherment, Key Agreement (a8)
Gal
June 9th, 2015 3:18am
You cannot change the Key Usage on the Web server certificate template, it is a v1.0 template
You are leaving something out of your story, please provide the missing link
Brian
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 12:16am
You are right
I have duplicated the template
chose extension, key usage, Edit
under Signature I chose digital signature and under Encryption I chose Allow key exchange only with key encryption. (I tried all combinations)
in the CSR I have (under key usage) Digital Signature, Key Encipherment, Key Agreement (a8)
and the result certificate always contain the following key usage: Digital Signature, Key Encipherment (a0)
Gal
June 10th, 2015 9:39am
Hi Gal,
Whenever the KeySpec attribute is not explicitly specified, it takes the default value of 2 i.e., it can be used for signing purposes only, more detail please refer the following articles.
Error HRESULT: 0x80070520 when adding SSL binding in IIS
Client Certificates V/s Server Certificates
http://blogs.msdn.com/b/kaushal/archive/2012/02/18/client-certificates-v-s-server-certificates.aspx
Appendix 3: Certreq.exe Syntax
https://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
Im glad to be of help to you!
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 3:22am
Hello
still not working
I am using CA 2008 R2
Creating request using certreq
Using a duplicate of Web Server template
I have already did all the recommendations. Here is the request (part of it)
Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
Value[3][0]:
Unknown Attribute type
CSP Provider Info
KeySpec = 1
Provider = Microsoft RSA SChannel Cryptographic Provider
Signature: UnusedBits=0
Enhanced Key Usage
IP security end system (1.3.6.1.5.5.7.3.5)
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
Application Policies
[1]Application Certificate Policy:
Policy Identifier=IP security end system
[2]Application Certificate Policy:
Policy Identifier=Server Authentication
[3]Application Certificate Policy:
Policy Identifier=Client Authentication
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment, Key Agreement (a8)
The Request INF file
[Version]
Signature= "$Windows NT$"
[RequestAttributes]
CertificateTemplate=Copy of Web Server
[NewRequest]
Subject ="cn=aaaa,E=aaa.bbb@gmail.com"
MachineKeySet=TRUE
KeyUsage = 0xa8
Exportable = TRUE
KeySpec = 1
SMIME = FALSE
June 12th, 2015 9:15am
per the dialog box for defining Key Usage in a certificate template, you are attempting to enable two mutually exclusive options:
You have to choose whether to allow key exchange with or without key encryption. You can never enable both options. Where are you getting this design spec from. I have never run into a case previously where this combination of key usage attributes has been required.
Brian
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 11:24am
Hi
Thanks again
what i need to produce is a certificate for some product that requires 3 usages
That's why I insert a8 as the key usage in the INF file
For the key usage template dialog I tried all combination by never got the key agreement in the final cert
- Edited by Gal A 4 minutes ago
June 13th, 2015 3:26am
This topic is archived. No further replies will be accepted.
Other recent topics
