certreq for another AD User
Hi,
I need to be able to request a certificate from a user certificate template I've created for another AD User.
For testing purpose I'm logged as my domain administrator and if I'm trying to execute the following Powershell script but it's not working. If I remove the requestername parameter everything is "ok" except that the certificate has been issued to the
logged user which is administrator.
Thanks for helping
Here's the error :
Certificate not issued (Denied) Error Verifying Request Signature or Signing Certificat
e None of the signers of the cryptographic message or certificate trust list is truste
d. 0x8009202b (-2146885589)
Here's my script :
[string] $TemplateName = "CertTemplate"
[string] $CAName = "MyRootCA"
[string] $CertPath = "C:\TEST"
[string] $UserName = "test7"
write-host
write-host "Generating Request File"
remove-item $CertPath\usercert.inf -ErrorAction silentlycontinue
remove-item $CertPath\usercert.req -ErrorAction silentlycontinue
add-content $CertPath\usercert.inf "[NewRequest]`r
Subject = `"CN=$Username`"`r
Exportable = TRUE
Requestername = testlocal\test7
RequestType = CMC`r
[RequestAttributes]`r
CertificateTemplate = `"$TemplateName`"`r
SAN = `"Email=$Email`""
certreq -new $CertPath\usercert.inf $CertPath\usercert.req
write-host "Sending Certificate Request"
certreq -submit -config "$CAName" $CertPath\usercert.req $CertPath\$Username.cer
write-host "Installing Certificate"
certreq -accept $CertPath\$Username.cer
February 23rd, 2011 12:09pm
Hello,
for detailed CA questions the security forum is the better place:
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2011 1:05pm
On Wed, 23 Feb 2011 17:03:51 +0000, Yveslap wrote:
I need to be able to?request a certificate from a user certificate template I've created for another AD User.
In order to request a certificate on behalf of another user the following
conditions must be met:
1. The user making the request must have access to a certificate and its
corresponding private key that contains the Certificate Request Agent
purpose in the EKU (like the predefined Enrollment Agent template).
2. The template against which the request is to be issued must be
configured to require at least 1 authorized signature with an application
policy of Certificate Request Agent (on the Issuance Requirements tab).
3. The request must be signed with the certificate from step 1.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
One picture is worth 128K words.
February 24th, 2011 5:00am
Hi Paul,
Ok I've configured the enrollment agent on the user that I want my script to run for the testing purpose and I've set the issuance req to 1 signature.
If I use the wizard I'm able to start the request on behalf of process, specify my agent certificate, the user for who I want to enroll a certificate and then it's asking me for a smartcard...
Am I able to specify another target like a local folder to save the certificate for testing purpose ???
And the real question is in my script how and where do I specify to use my agent certificate for the enroll on behalf ?
Thanks for helping
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2011 9:38am