Hi. As part of a project, I've been tasked with learning how to manually request a user certifcate from our Server 2008 R2 server, which I've done - when I request the cert, whichever user logged in at the computer I'm on is issued a certificate. My issue now is how to request user certs for specific users from a single computer, regardless of the user currently logged on. Are there RequestPolicy.inf entries I can make? Thanks!! Lee

You need to use an enrollment agent to be able to request a certificate on behalf of another user, read more about the enrollment agents option http://technet.microsoft.com/es-es/library/cc782506(WS.10).aspx and the enroll on behalf on another user http://technet.microsoft.com/en-us/library/cc770802.aspx /Hasain

Thanks for your reply Hasain, but this is something that will eventually involve automating manual user cert requests with a custom SAN like this: http://technet.microsoft.com/en-us/library/ff625722%28WS.10%29.aspx , but won't use the Certificate Enrollment wizard. I'm also using our domain admin account. Thanks again.

Look at the "Using certreq.exe" section in article http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx#BKMK_Certreq. Besides the information in the article you need to create a certificate template that enables you to specify Subject and SAN in the request to automate/script this. /Hasain

Fabulous! I've found that if I change the Request Type to CMC I can specify a Requestername. Unfortunately, I (and others, apparently) get the error: "Certificate Request Processor: Error Verifying Request Signature or Signing Certificate None of the signers of the cryptographic message or certificate trust list is trusted. 0x8009202b (-2146885589)" Any idea on why this would occur? Lee

You do not need to use CMC PKCS10 is just fine for this type of requests. The Requestername is automatically set to the user account submitting the request and does not need to be specified. /Hasain

Right, that's the behavior I need to get around. I need the CA to be able to process the requestername so when we automate the process I wouldn't have to log in as every user who needs a User Cert. I found the following directions for enabling this, but haven't had any luck yet: 1. The user making the request must have access to a certificate and its corresponding private key that contains the Certificate Request Agent purpose in the EKU (like the predefined Enrollment Agent template). I've got the Enrollment Agent Certificate on my laptop, as well as those of a User and Administrator. 2. The template against which the request is to be issued must be configured to require at least 1 authorized signature with an application policy of Certificate Request Agent (on the Issuance Requirements tab). I duplicated the User template and added this requirement. 3. The request must be signed with the certificate from step 1. ***I'm a little foggy on this step. Perhaps this is failing because I have the other certificates on board as well? I deleted all certs but that of the Certificate Request Agent, but still no luck. [NewRequest] Subject = "CN=dc.tachc.org" ; Remove to use an empty Subject name. ;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty. ;If you are using another protocol, verify the certificate requirements. Exportable = FALSE ; TRUE = Private key is exportable KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384 KeySpec = 1 ; Key Exchange – Required for encryption KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" Requestername = tachc.org\test1 RequestType = CMC [Extensions] ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension. 2.5.29.17 = "{text}" _continue_ = "dns=dc.tachc.org&" _continue_ = "dn=CN=dc,OU=Domain Controllers,DC=tachc,DC=org&" _continue_ = "ipaddress=10.1.1.10&" _continue_ = "email=ldavila@tachc.org&" _continue_ = "upn=ldavila@tachc.org&" _continue_ = "guid=51ga2ou7-5d73-851d-73c7-5e3c0f6e251e&" [RequestAttributes] CertificateTemplate = CAUser

After generating the request you need to sign it with the agent certificate using: certreq.exe -sign request.file signedrequest.file /Hasain

Thanks Hasain, I think I've almost got it!. My stumbling block now just seems to be the acutal file names to place after the -sign. My step 1 to generate the request: Certreq.exe -new RequestPolicy.inf CertificateRequest.req However, when I try to sign it with: Certreq.exe -sign CertificateRequest.req SignedRequest.req I get an error : Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247) Technet suggests: CertReq -Sign [RequestFileIn [RequestFileOut]] But I'm still not sure which files this refers to. Many thanks!

A potential problem is that the certutil command is failing because the output file exists. Delete the output file first, or use the –f option to overwrite it.

Thanks Kurt, but it appears that Certreq is expecting that file to be present. After further digging, I found this: Once the template administrator has configured the template to require one or more signatures on a certificate request, you must add these signatures to the request in order for the CA to process it correctly. The default Certificate Services Web enrollment pages can add only one signature to a certificate request, specifically when an Enrollment Agent certificate is used to request a smart card certificate on behalf of another user. If more than one signature is required, you must add these signatures with certreq.exe –sign from the command line to the raw certificate request, one at a time. Again, this begs the question HOW is this done? How do you add a signature to a raw certificate request?

I will take your question to someone who knows certreq better than anyone I have ever seen and see what he has to say about this situation.

Signing a CMC request with an enrollment agent certificate is very simple if you would like to do it without certreq. Please see the cmcSigner Tool on my blog http://secadmins.com/?page_id=184, the tool is just a proof of concept and full source is included. /Hasain

I asked this question to our internal guru of certificates and certutil commands, IMO. Anyways, he came back with a detailed and explanatory response that I hope will help you: Regarding: I've found that if I change the Request Type to CMC I can specify a Requestername. Unfortunately, I (and others, apparently) get the error: "Certificate Request Processor: Error Verifying Request Signature or Signing Certificate None of the signers of the cryptographic message or certificate trust list is trusted. 0x8009202b (-2146885589)" What you then need to do is sign with an enrollment agent cert, as advised by: You need to use an enrollment agent to be able to request a certificate on behalf of another user, read more about the enrollment agents option Selecting Certificate Enrollment Options and the enroll on behalf on another user Enroll for Certificates on Behalf of Other Users. However, there are two separate issues presented in this thread: EOBO enrollment (Enroll On Behalf Of) A CMC request (or a Pkcs7 request) is required for EOBO enrollment. The RequesterName (the target user/machine SAM Name) must be specified, and the request must be signed by a cert that is valid for NTAuth and the szOID_ENROLLMENT_AGENT EKU (1.3.6.1.4.1.311.20.2.1) The syntax for supplying the RequesterName is correct, but you need to tell certreq which cert to use to sign the request. The –cert option is used to specify the signing cert. Use –cert * to pick the cert from the U/I. Use –cert CertId to filter the set of certs presented in the U/I. Use –cert 1.3.6.1.4.1.311.20.2.1 to show only the available EA certs. If the CertId used is unambiguous (if only one match is possible), then you can use the –q option to suppress the U/I. The thumbprint or serial number of the EA cert should be unambiguous. If only one cert exists, then the CN or the above OID may also be unambiguous. Offline template When an offline template is used, the subject information supplied in the request is passed through to the issued cert. In this case, the CA should never automatically issue the cert. A CA officer or admin should manually verify the content and the origin of the request before issuing the cert. The following syntax attempts to specify the Subject and the SAN extension in the request: [NewRequest] Subject = "CN=dc.tachc.org" … [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=dc.tachc.org&" ... An EOBO template will ignore and overwrite both of these with information fetched from AD for the target user or machine.

Thanks Kurt, I've got the EOBO stuff set up, but don't follow the directions on the "-cert". This doesn't appear to be a valid switch for certreq.exe, is it to be included as part of the PolicyRequest.inf? Lee

I looked into this myself and could not find it. I am checking. Sorry for the delay, there was a lot of other things happening today.

Just tested this again, the certreq.exe in Windows 2008 R2 SP1 could not sign the request using "certreq.exe -sing request.req signedrequest.req" and terminated with the error: Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247) The Windows 2003 version of certreq.exe worked just fine in 2008 R2 SP1 and could sign the request with no errors! The test setup is using a v2 template with subject information supplied in the request and with one agent signing as an issuance requirement My test request.inf file is: --------------------------------------------- [NewRequest] RequestType = CMC Subject = "CN=sctest" [Extensions] 2.5.29.17 = "{text}" _continue_ = "email=ldavila@tachc.org&" _continue_ = "upn=ldavila@tachc.org&" [RequestAttributes] CertificateTemplate = user1 --------------------------------------------- The procedure followed with both versions of certreq.exe is: certreq -new request.inf certificate.req certreq -sign certificate.req signedcertificate.req [the tool prompts for agent cert if -cert is omitted] certreq -submit signedcertificate.req certificate.cer The requester name is filled in by certreq/CA correctly when looking at the ADCS database. This must indicate a bug in certreq.exe version 2008 R2 SP1. The working certreq.exe is part of the Windows Server 2003 Administration Tools Pack downloaded from http://www.microsoft.com/download/en/confirmation.aspx?id=16770 /Hasain

Answer to the previous question regarding -cert: This is for certreq -new, not certutil. See certreq -new -? and then see Certutil -store -? for additional ways that you can also identify the cert in the certreq -new command because the help does not show all the options for identifying the certificate in certreq -new. CertId -- Certificate or CRL match token. This can be a serial number, an SHA-1 certificate or public key hash, a numeric cert index (0, 1, etc.), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, Many of the above may result in multiple matches. As for the potential bug, I am wondering if there was a change in the syntax of functionality. I will check on this to see if there is either a bug to file or a change to update. Anyways, I am getting some other people involved to help figure out this particular issue. Sorry you are having such trouble, but I am glad you've made progress. I will report back on what I find out.

I have asked the writer for the team responsible for this feature. As it was Friday afternoon, he said he would check on Monday. :-)

I received a response already from our certificate services guru and it appears you did identify a problem with certreq. When certreq tries to look up a template using the template OID string, the error 0x800704df (WIN32: 1247) could occur in a couple of situations: If certreq–new’s INF file specified the OID instead of the template name, as in CertificateTemplate=1.2.3…. It could also happen when attempting certreq –sign on a request that contains a template OID extension. If the “user1” template is a V2 or V3 template in the failing scenario, that would explain why certreq –sign failed in this manner. Possible workaround: Using certreq –new and specifying the –cert option at the same time should not have this problem, because the INF file specified the template’s non-localized name. This is something that will be on the table for revision in the next version. Until then, it looks like you found another workaround.

Just a followup, I copied certreq.exe from a Server2003 box to my Server2008 R2 Domain Controller, followed Hasain's instructions: certreq -new request.inf certificate.req certreq -sign certificate.req signedcertificate.req [the tool prompts for agent cert if -cert is omitted] certreq -submit signedcertificate.req certificate.cer and it worked famously! Thanks again Hasain and Kurt!

Yes, thanks Hasain for finding a solution! I am glad that I could help by confirming that there were issues with the tool. What a bummer! Fortunately there is a solution and a future plan to resolve it. For now, you will have to either get the older software or carefully specify the certreq -new and -cert option when making such requests.