locked
CES - certificate template definition in MS-WSTEP RRS feed

  • Question

  • We are implementing service on Linux platform for issuing certificates using CES (Certificate Enrollment Web Services) which resends certificate requests to authority (Enterprise CA). The problem is that certificate requests do not contain any information about template which should be used for issuing. Template name must be explicitly defined by the service we provide.

    We have tried to create SignedData envelope and include template name as an pkcs7 attribute, however it did not help.
    Is it possible to define CertificateTemplate explicitly in MS-WSTEP protocol or is there any way how to ensure that CA will get template name which should be used?

    Friday, October 23, 2015 7:09 AM

Answers

  • you need to add certificate template extension in the request. When you contact policy server via [MS-XCEP], it returns a list of available certificate templates for you. Template information includes template object identifier, major and minor versions.

    I assume that you are familiar with general X509 certificate extension encoding, so you only need to know how to encode particular extension value. Here is ASN module for generic certificate extension (ref. RFC5280):

    Extension ::= SEQUENCE 
    {
       extnId              OBJECT IDENTIFIER,
       critical            BOOLEAN DEFAULT FALSE,
       extnValue           OCTETSTRING
    }
    

    and Certificate Template extension value (under OCTET STRING) is:

    ----------------------------------------------------------------------
    -- CertificateTemplate
    -- XCN_OID_CERTIFICATE_TEMPLATE (1.3.6.1.4.1.311.21.7)
    ----------------------------------------------------------------------
    
    CertificateTemplate ::= SEQUENCE 
    {
       templateID              EncodedObjectID,
       templateMajorVersion    TemplateVersion,
       templateMinorVersion    TemplateVersion OPTIONAL
    }
    
    TemplateVersion ::= INTEGER (0..4294967295)
    


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 4:16 PM
    • Marked as answer by Steven_Lee0510 Monday, November 9, 2015 11:37 PM
    Monday, October 26, 2015 10:38 AM
  • With [MS-WCCE] it is possible to pass unauthenticated attributes along the request (and provide certificate template name as attribute).

    It appears that [MS-WSTEP] do not provide any element to use for attributes. [MS-WSTEP] assumes that any information required to construct final certificate is included in the request.

    PKCS#10 request wrapping in PKCS#7 doesn't help either because CA uses only embedded PKCS#10 request to construct certificate. The rest PKCS#7 data is used only in special scenarios (for example, certificate renewal, enrollment on behalf of, etc.) and is used to validate this operation.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 4:16 PM
    • Marked as answer by Steven_Lee0510 Monday, November 9, 2015 11:37 PM
    Monday, October 26, 2015 6:59 PM
  • We found solution in creating PKCS7 (SignedData) with CMC request inside. This CMC message contains original PKS10 request and CMC extensions (oid 1.3.6.1.5.5.7.7.8) with CertificateTemplate definition (oid 1.3.6.1.4.1.311.20.2). Only then this request is correctly processed by certification authority.

    Sample:

    PKCS7/CMS Message:
      CMSG_SIGNED(2)
      CMSG_SIGNED_DATA_CMS_VERSION(3)
      Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

    PKCS7 Message Content:
    ================ Begin Nesting Level 1 ================
    CMS Certificate Request:
    Tagged Attributes: 1

      Body Part Id: 3
      1.3.6.1.5.5.7.7.8 CMC Extensions
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      Extensions: 1
        1.3.6.1.4.1.311.20.2: Flags = 0, Length = a
        Certificate Template Name (Certificate Type)
            TEST

    Tagged Requests: 1
      CMC_TAGGED_CERT_REQUEST_CHOICE:
      Body Part Id: 1
    ================ Begin Nesting Level 2 ================
    Element 0:
    PKCS10 Certificate Request:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxx PKCS10 data xxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------  End Nesting Level 2  ----------------

    Tagged Content Info: 0
    Tagged Other Messages: 0
    ----------------  End Nesting Level 1  ----------------

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxx other PKCS7 data xxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    • Marked as answer by Fremen1983 Tuesday, December 15, 2015 7:46 AM
    Tuesday, December 15, 2015 7:46 AM

All replies

  • Hi,

    It seems that your question is coding and development related.

    After a quick search, I found the link below:

    https://msdn.microsoft.com/en-us/library/dd340609.aspx?f=255&MSPPError=-2147217396

    Besides, you may try to post your question on the forum below:

    https://social.msdn.microsoft.com/Forums/en-US/home?forum=os_windowsprotocols

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 26, 2015 9:09 AM
  • you need to add certificate template extension in the request. When you contact policy server via [MS-XCEP], it returns a list of available certificate templates for you. Template information includes template object identifier, major and minor versions.

    I assume that you are familiar with general X509 certificate extension encoding, so you only need to know how to encode particular extension value. Here is ASN module for generic certificate extension (ref. RFC5280):

    Extension ::= SEQUENCE 
    {
       extnId              OBJECT IDENTIFIER,
       critical            BOOLEAN DEFAULT FALSE,
       extnValue           OCTETSTRING
    }
    

    and Certificate Template extension value (under OCTET STRING) is:

    ----------------------------------------------------------------------
    -- CertificateTemplate
    -- XCN_OID_CERTIFICATE_TEMPLATE (1.3.6.1.4.1.311.21.7)
    ----------------------------------------------------------------------
    
    CertificateTemplate ::= SEQUENCE 
    {
       templateID              EncodedObjectID,
       templateMajorVersion    TemplateVersion,
       templateMinorVersion    TemplateVersion OPTIONAL
    }
    
    TemplateVersion ::= INTEGER (0..4294967295)
    


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 4:16 PM
    • Marked as answer by Steven_Lee0510 Monday, November 9, 2015 11:37 PM
    Monday, October 26, 2015 10:38 AM
  • Thank you, I know that when template name is included in CSR, everything works well. But as I said: "Template name must be explicitly defined by the service we provide."

    We receive plain PKCS#10 request from external client and that CSR does not contain any extension defining template name. Our service must ensure that CSR will be processed by CA using specific template.
    Monday, October 26, 2015 1:15 PM
  • With [MS-WCCE] it is possible to pass unauthenticated attributes along the request (and provide certificate template name as attribute).

    It appears that [MS-WSTEP] do not provide any element to use for attributes. [MS-WSTEP] assumes that any information required to construct final certificate is included in the request.

    PKCS#10 request wrapping in PKCS#7 doesn't help either because CA uses only embedded PKCS#10 request to construct certificate. The rest PKCS#7 data is used only in special scenarios (for example, certificate renewal, enrollment on behalf of, etc.) and is used to validate this operation.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Steven_Lee0510 Monday, November 9, 2015 4:16 PM
    • Marked as answer by Steven_Lee0510 Monday, November 9, 2015 11:37 PM
    Monday, October 26, 2015 6:59 PM
  • We found solution in creating PKCS7 (SignedData) with CMC request inside. This CMC message contains original PKS10 request and CMC extensions (oid 1.3.6.1.5.5.7.7.8) with CertificateTemplate definition (oid 1.3.6.1.4.1.311.20.2). Only then this request is correctly processed by certification authority.

    Sample:

    PKCS7/CMS Message:
      CMSG_SIGNED(2)
      CMSG_SIGNED_DATA_CMS_VERSION(3)
      Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

    PKCS7 Message Content:
    ================ Begin Nesting Level 1 ================
    CMS Certificate Request:
    Tagged Attributes: 1

      Body Part Id: 3
      1.3.6.1.5.5.7.7.8 CMC Extensions
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      Extensions: 1
        1.3.6.1.4.1.311.20.2: Flags = 0, Length = a
        Certificate Template Name (Certificate Type)
            TEST

    Tagged Requests: 1
      CMC_TAGGED_CERT_REQUEST_CHOICE:
      Body Part Id: 1
    ================ Begin Nesting Level 2 ================
    Element 0:
    PKCS10 Certificate Request:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxx PKCS10 data xxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------  End Nesting Level 2  ----------------

    Tagged Content Info: 0
    Tagged Other Messages: 0
    ----------------  End Nesting Level 1  ----------------

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxx other PKCS7 data xxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    • Marked as answer by Fremen1983 Tuesday, December 15, 2015 7:46 AM
    Tuesday, December 15, 2015 7:46 AM
  • thanks for sharing!

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Tuesday, December 15, 2015 12:36 PM