Generating hardware protected OCSP certificate using certreq
Hi All,
I am having difficulty generating a certificate request using certreq where I want the private key protected by an nCipher HSM. When I go to generate the certificate request I receive the following error:
Key not valid for use in specified state. 0x800900b
My server is on the Windows Server 2008 R2 platform and I am using an nCipher network HSM. I have tried generating the request using certreq and by using the MMC snapin but keep on getting the same error.
If I try to enrol against another v3 certificate template with a similar configuration, e.g. an enrolment agent certificate and using the same settings in the inf file, I get prompted to create the private key in the HSM. Due to this I suspect that the problem
lies with a configuration on the template.
The OCSP template I am using is a direct duplicate of the default one with settings changed to allow the hardware KSP and to change the validity period. I also get the same error trying to enrol against the default OCSP template.
Here is my policy.inf file:
[NewRequest]
KeyLength = 2048
MachineKeySet = TRUE
ProviderName = "nCipher Security World Key Storage Provider"
ProviderType = 1
RequestType = CMC
Subject = "CN=XXX-OCSP-Signing"
[RequestAttributes]
CertificateTemplate = "XXX-OCSP-Signing-Certificate"
Any help would be appreciated,
Many Thanks
Chris
EDIT: I think I've now solved this. I removed the the "Add permissions to the Network Service...." setting from the Request Handling tab and all appears to be now working!
September 30th, 2010 12:19pm
Hi Chris,
You got it. For full details, look for "Using a hardware security module (HSM) to protect OCSP signing keys" in the following whitepaper:
http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx.
Thanks,
John
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 2:15pm
EDIT: I think I've now solved this. I removed the the "Add permissions to the Network Service...." setting from the Request Handling tab and all appears to be now working!
I've had similar experience when using nCipher HSM. After we removed the permissions to assigned to Network service everything worked fine.
Martin
September 30th, 2010 2:44pm
Make sure that you are using the 11.40 client software. There were some known bugs with the KSP when interacting with OCSP
Brian
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 4:13pm
Hi Brian,
I'm only on 11.30, we're getting an nShield Edge shipped in the next couple of days so I'm hoping it will come with the latest client software. Otherwise I'll have to speak with Thales.
Thanks
Chris
October 1st, 2010 3:19am