Certificate Extensions and Request Attributes
Hi! Can somebody give me a good explanation on what those are? I know that when you need to have a custom SAN, you should go with the Certificate Extension. Is it possible to modify both the Certificate Extensions and Request Attributes when you Enroll for a Certificate? Kind regards Mikael
May 22nd, 2012 8:00am

It is a tough question. Genrally speaking, extensions are authenticated fields which are supposed to be added to a certificate. Request attributes can be authenticated and unauthenticated and are using by the CA to construct target certificate. you cannot add/remove or override extensions (and authenticated attributes), because they are authenticated (signed). But you can add additional attributes to the request. There are couple ways to add extensions (requires special processing) and attributes and they depends on your task.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2012 9:14am

Hi Vadims! Im very glad that you responded to my question. I'ts a tough question like you said. The reason why i am asking this is to get a deeper understanding om the certificate request process. If i relate what you typed to the process regarding Enrollment of Certificate with custom SAN. The documentation states clearly that you should use Extension if you do it with Certreq. Is it Authenticated or unauthenticated from a CA standpoint or to whom does Authenticate/unathenticate relate to? CA Admin Person? Kind regards Mikael
May 23rd, 2012 5:32am

> if you do it with Certreq. Is it Authenticated or unauthenticated from a CA standpoint it is unauthenticated. Think about this: when you generate certificate request, all fields and extensions are embedded into request. After that the request is signed by a newly generated key pair (new certificate request) or by using existing key pair (if a particular certificate is renewed). All signed content is authenticated (in this point these two words: signed and authenticated are equals and means the same). Key pair used to sign request remains on the machine where it was generated. But you can submit this request from any other machine. Since you no longer have access to signing key pair, or extended attributes (which you specify during request submission) cannot be authenticated. CA server assumes that authenticated attributes and extensions are safe, but unauthenticated attributes are unsafe for processing. Therefore CA enforces additional restrictions to unauthenticated attributes. That is if you submit SAN extension as unauthenticated attribute, CA server MUST be configured to allow SAN as attribute. and this is because document recommends to embed SAN extension directly to the request, because SAN extension is authenticated and is considered as safe for processing. But not all extensions are restricted. For example, many 3rd party applications and devices are not aware about Certificate Template extension, because it is Microsoft's proprietary extension and generate requests with no template information. Since, this extension is not security critical (unlike SAN), you can pass it as unauthenticated attribute during request submission without any problems like this: certreq -submit -attrib "CertificateTemplae:TemplateName"My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 6:58am

Hi Vadims! Great info! Thank you for sharing. Kind regards Mikael
May 25th, 2012 2:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics