none
Problem issuing web server certificate with Enhanced Key Usage RRS feed

  • Question

  • My objective is to issue a certificate with Enhanced Key usage of ClientAuth and ServerAuth using the Windows 2008 Enterprise Root Authority. 
    I have created the request (using openssl, as it happens) and can submit the request either using the Web enrollment page,  or certreq -submit.
    My Enterprise root is configured to not automatically issue the certificate, so the next step is to use certutil to add the EKU to the pending request:

    certutil -setextension <req_id>  2.5.29.37 0 @eku_client_server.txt

    The file eku_client_server.txt conatins this string:
    30 14 06 08 2b 06 01 05 05 07 03 02 06 08 2b 06 01 05 05 07 03 01

    So far this all looks good, and if I then look at the 'Enhanced Key Usage' Extension of the pending request it has the values I want, i.e.:
    Client Authentication (1.3.6.1.5.5.7.3.2)
    Server Authentication (1.3.6.1.5.5.7.3.1)
    with the Origin set to 'Admin'

    HOWEVER - when I issue the Pending Request using the certsrv mmc, the EKU loses the Client Authentication element, and goes back to just server authentication.  I also note that the Origin of the Enhanced Key Usage  has changed to 'Policy'.   It looks like the 'Web server' policy has over-written the change made using certutil.


    Does anyone have any ideas?

    Thanks

    Ax

    Friday, June 5, 2009 2:51 PM

Answers

  • Does the extension exist in the template definition? If you are using WebServer then it is defined to always have "Server Authentication" as an EKU. Which is why you are seeing this behavior.

    What I think you want to do is the following:
    Create a new template "Copy Of WebServer"
    Modify the extensions so that "Application Policies" is none
    Then I think using the certutil -setextensions will work.

    The problem that you are seeing is that the policy module will always prefer what is in the template over what you set through certutil -setextensions. WebServer is a v1 template where the EKU is hard-coded in [like all v1 templates, this cannot be changed].

    Andrew

    • Marked as answer by Ax Murdarah Tuesday, June 9, 2009 3:42 PM
    Tuesday, June 9, 2009 12:00 AM

All replies

  • When you submit the certificate request [through certreq or the certsrv web pages], do you specify a certificate template?

    Andrew

    Friday, June 5, 2009 11:00 PM
  • I do not believe it is possible to submit a request to the Enterprise CA without specifying a certificate template.  The command line I used for Certreq was:

    certreq -submit -attrib "CertificateTemplate: WebServer \n san:dns=srvcenvc101.cbi.org.uk" cert.req

    When I submitted the certificate through the web enrollment, I specified the Web Server template.

    I still need to be able to create a certificate with the EKU of both Client and Server authentication

    Ax

    Monday, June 8, 2009 8:14 AM
  • Does the extension exist in the template definition? If you are using WebServer then it is defined to always have "Server Authentication" as an EKU. Which is why you are seeing this behavior.

    What I think you want to do is the following:
    Create a new template "Copy Of WebServer"
    Modify the extensions so that "Application Policies" is none
    Then I think using the certutil -setextensions will work.

    The problem that you are seeing is that the policy module will always prefer what is in the template over what you set through certutil -setextensions. WebServer is a v1 template where the EKU is hard-coded in [like all v1 templates, this cannot be changed].

    Andrew

    • Marked as answer by Ax Murdarah Tuesday, June 9, 2009 3:42 PM
    Tuesday, June 9, 2009 12:00 AM
  • Thanks for the help Andrew.

    I have got it working with a variation on your suggestion.   I duplicated the Web Server Template and in the duplicate changed the "Application Policies" to both Client and Server authentication.  Doing it that way I did not have to bother with certutil -setextensions, although your way would probably have worked as well.

    It seems that with SSL and Certificates a little knowledge gets you nowhere!

    Ax
    Tuesday, June 9, 2009 3:42 PM
  • Andrew,

    Great tip... does this make the certificate template for a V2 template available in the web enrollment interface? read: I've not tried this :-)

    Regards,
    Mylo
    Tuesday, June 9, 2009 7:14 PM
  • Mylo,

      When you duplicate the User or WebServer template that comes by default [i.e. no changes on permissions] with an enterprise ca installation then a v2 template will be created with the same principals [users and groups] having the same permissions [including read]. This means that it should show up in the web enrollment interface. i.e. in general, v2 templates are available on the web enrollment interface.

    Andrew
    Tuesday, June 9, 2009 7:19 PM
  • Andrew,

    Are you using 2003 or 2008?

    Regards,
    Mylo
    Tuesday, June 9, 2009 7:27 PM


  • Mylo,

    After duplicating the Webserver template on my Enterprise CA running on Windows Server 2008 Enterprise, I activated it by running this command from an administrative command prompt:

    certutil –setCATemplates +Webserver2

    After that it was usable from the mmc and using certreq - but it did NOT appear in the Web enrollment pages

    Ax

    Wednesday, June 10, 2009 10:24 AM
  • Ax,

    Yeah ... that's my experience too.. that the web enrollment interface can be flaky with V2 templates. I actually prefer using certreq.

    Regards,
    Mylo
    Wednesday, June 10, 2009 6:08 PM
  • Are you sure you are using a v2 template or a v3 template?

    v3 templates were first introduced in Windows Server 2008. The web enrollment pages cannot display v3 templates.

    Andrew
    Wednesday, June 10, 2009 9:14 PM