none
Error when generating CSR using certreq.exe RRS feed

  • Question

  • Good day!

    I have encounter an error when trying to generate a CSR. The following is my req.inf file.

    [Version]
    Signature= "$Windows NT$"
    [NewRequest]
    Subject = "CN=DC01.Fabrikam.com"
    HashAlgorithm = SHA384
    KeyAlgorithm = RSA
    KeyLength = 2048
    ProviderName = "Microsoft Software Key Storage Provider"
    KeyUsage = 0xa0
    KeySpec = 1
    MachineKeySet = True
    RequestType = PKCS10 
    SMIME = False
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1
    [Extensions]
    2.5.29.17 = "{text}"
    _continue_ = "DNS=DC01.Fabrikam.com"

    After that I use the following command to generate the CSR and encounter the error below

    certreq.exe -new req.inf request.req

    Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13 Error_INVALID_DATA)

    req.inf([NewRequest] KeyAlgorithm ="RSA") <=> KeySpec?

    I did try to change KeySpec = 1 to KeySpec = AT_KEYEXCHANGE but it did not solve the issue.

    But if i remove the KeyAlgorithm = RSA, the CSR can generate successfully.

    Is there something I did specify wrongly regarding the KeyAlgorithm and KeySpec ? Anyone can enlighten me regarding the issue ?

    Sunday, January 20, 2019 9:14 AM

Answers

  • Do you know why is that so ?

    because certreq was improved in Windows 10. Your INF will work on Windows 10, because certreq become smarter and ignores irrelevant KeySpec line when key storage provider is used. Previous versions of certreq will fail.

    It requires the KeySpec option to be AT_EXCHANGE" based on the following website

    again, KeySpec is not supported in key storage providers and should be not used. KeySpec has meaning only for legacy CSPs.

    as aside note: SQL server doesn't support key storage providers, so you need to use one of legacy CSPs in order to make it working with SQL server. For example, use "Microsoft Enhanced RSA and AES Cryptographic Provider" CSP for SQL server. With this CSP, you can use KeySpec line.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Marked as answer by LearningPKI Monday, January 21, 2019 12:43 AM
    Sunday, January 20, 2019 3:43 PM

All replies

  • The problem here is with KeySpec line. KeySpec is no longer valid for key storage provider. Leave algorithm name and remove KeySpec line. After that, your request should be generated successfully.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Marked as answer by LearningPKI Sunday, January 20, 2019 3:01 PM
    • Unmarked as answer by LearningPKI Sunday, January 20, 2019 3:09 PM
    Sunday, January 20, 2019 2:15 PM
  • Hi Vadims,

    Thank you for your reply. This has solved one of my CSR error but I got another CSR (SQL SSL certificate) I need to add the KeySpec into the .inf. It requires the KeySpec option to be AT_EXCHANGE" based on the following website:

    https://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-server/

    May I know how should I do it as I am not able to generate the CSR ?

    By the way, one of my colleague tested exactly the same .inf file on his test server and to my surprise, it can generate the CSR successfully. The only different I have noticed with his test environment and mine, the version of his command prompt is 10.0.14393 while mine is 6.3.9600. Do you know why is that so ?

    Thank you again!

     

    Sunday, January 20, 2019 3:29 PM
  • Do you know why is that so ?

    because certreq was improved in Windows 10. Your INF will work on Windows 10, because certreq become smarter and ignores irrelevant KeySpec line when key storage provider is used. Previous versions of certreq will fail.

    It requires the KeySpec option to be AT_EXCHANGE" based on the following website

    again, KeySpec is not supported in key storage providers and should be not used. KeySpec has meaning only for legacy CSPs.

    as aside note: SQL server doesn't support key storage providers, so you need to use one of legacy CSPs in order to make it working with SQL server. For example, use "Microsoft Enhanced RSA and AES Cryptographic Provider" CSP for SQL server. With this CSP, you can use KeySpec line.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Marked as answer by LearningPKI Monday, January 21, 2019 12:43 AM
    Sunday, January 20, 2019 3:43 PM