none
Problem with sending encrypted messages, when using certreq to generate CSR and key RRS feed

  • Question

  • After changing the certificate generation method, users have a problem with sending encrypted messages.

    The previous method is to generate keys, CSR and sign certificate on the certificate provider page. Now We create keys and CSR using certreq and then send the CSR to the certificate provider to sign. When the user tries to send an encrypted email in Outlook, the following message appears "Cannot open this item. Your Digital ID name cannot be found by the underlying security system". For some reason it works fine on smartphones. It seems to not work only in Outlook.

    Decoded CSR are different. We think this may be causing problems. The CSR generated by the second method (certreq) additionally contains the following values.

    Attributes:

                1.3.6.1.4.1.311.13.2.3   :10.0.18362.2

                1.3.6.1.4.1.311.21.20    :unable to print attribute

                1.3.6.1.4.1.311.13.2.2   :unable to print attribute

            Requested Extensions:

                X509v3 Subject Key Identifier:

                    B8:4E:DD:77:BA:18:9C:85:11:A8:E5:31:86:08:3F:AB:58:A5:A9:96

                X509v3 Key Usage: critical

                    Digital Signature

    CSR and key generate command:

    certreq -new C:\config.inf C:\CSRFile.txt

    config.inf file:

    [NewRequest]

    Subject = "user data"

    KeyLength = 2048

    Exportable = TRUE

    HashAlgorithm = SHA256

    KeyAlgorithm = RSA

    Is it possible to get rid attributes when generating CSR using certreq? Can there be any other reason for these problems?
    • Edited by Locne Thursday, June 25, 2020 10:51 AM Wrong title
    Thursday, June 25, 2020 10:48 AM

All replies

  • You need to post this in the Security Forum.  This is a forum for scripting questions and not about certificates.


    \_(ツ)_/

    Thursday, June 25, 2020 11:20 AM
  • Make sure encrypting service is running,to check,open cmd,type: services.msc in msc scroll to encryption/double click/set to: auto start,start service,exit msc,restart pc.
    Friday, July 3, 2020 3:41 AM
  • You need to post this in the Security Forum.  This is a forum for scripting questions and not about certificates.


    \_(ツ)_/

    Generating the certificate via script is the problem. I think maybe some attribute is missing in certreq syntax, but I can't find it. I don't know if I will find Security Forum on social.technet.microsoft.com where I can ask this question.

    Monday, July 20, 2020 12:26 PM
  • Make sure encrypting service is running,to check,open cmd,type: services.msc in msc scroll to encryption/double click/set to: auto start,start service,exit msc,restart pc.
    I only have an Encrypting File System (EFS) service. You were talking about this service?
    Monday, July 20, 2020 12:27 PM