none
Create certificate on CA from CSR file with key usage "TLS Web Server Authentication, TLS Web Client Authentication" RRS feed

  • Question

  • A vendor for a Linux system is asking for a certificate which the certifiacte key usage state "TLS Web Server Authentication, TLS Web Client Authentication". They provided a CSR file. On the CA server, I ran the following command:

    certreq -submit -attrib "CertificateTemplate:WebServer" cms.csr

    It created the certificate successfully with the Enhanced Key usage field with "Server Authentication (1.3.6.1.5.5.7.3.1)". Is this the same thing as "TLS Web Server Authentication, TLS Web Client Authentication" which they need?

    I looked into the Certificate Templates console and cannot modify the Web Server template key usage extension.

    Friday, May 17, 2019 2:32 PM

All replies

  • You need to duplicate default Web Server template, this will allow you to modify its settings. During duplication, switch to Extensions tab, select Application Policies entry and add Client Authentication usage.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Bill Stites Tuesday, May 21, 2019 4:35 AM
    Friday, May 17, 2019 4:27 PM
  • Hello Rick131,

    Thank you for posting in our TechNet forum.

    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 20, 2019 6:55 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 22, 2019 8:08 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 7:12 AM
    Moderator
  • I created a copy of Web Server template on both Windows 2000 Server and Windows 2008 server and get the following error message:

    "Certificate Request Processor: The requested certificate template is not support ed by this CA. 0x80094800 (-2146875392)
    Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: WebrSrverClient."
    Thursday, June 27, 2019 11:51 AM
  • Ok. Did some digging and found out that I had to publish the certificate template to the Certificate Authority. So I followed the steps from this page and ran the instruction and was able to create the certificate. I'm awaiting if they accept the certificate with the parameters requested.

    Thursday, June 27, 2019 12:22 PM