On Tue, Oct 17, 2017 at 5:03 PM, Fraser Tweedale <[email protected]> wrote:
> On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote: > > I created a certificate request using certreq.exe and the prerequisite > > request.info on a Windows Server 2012R2 DC--references and details given > > below. > > > > However, I receive the error "Sorry, your request is not submitted. The > > reason is "Invalid Request." when attempting to submit "Manual Server > > Certificate Enrollment" it to my Root CA. > > > > Am I using the wrong template profile? Is there a template that supports > > OID=1.3.6.1.5.5.7.3.1? > > > Yes, this OID is configured in the server certificate profile. You > don't need to include it in the CSR (but it doesn't hurt). > > There is something about the request that Dogtag does not like. > Could you attach the CSR itself and/or the relevant portion of the > /var/log/pki/pki-tomcat/ca/debug log file? > > Thanks, > Fraser > > > > > Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then > > recovered from snap/backup to 10.3 for the error persisted with 10.4. > > > > > > These are my primary references: > > > > https://support.microsoft.com/en-us/help/321051/how-to- > > enable-ldap-over-ssl-with-a-third-party-certification-authority > > > > https://technet.microsoft.com/en-us/library/ff625722(v=ws. > > 10).aspx#BKMK_Certreq > > > > Created the CSR by executing "certreq -new request.inf request.csr" > > > > The request.inf follows: > > > > ======================================== > > [Version] > > > > Signature="$Windows NT$ > > > > [NewRequest] > > Subject = "CN=ad.winauth.mydomain.net" > > KeySpec = 1 > > KeyLength = 2048 > > Exportable = TRUE > > MachineKeySet = TRUE > > SMIME = False > > PrivateKeyArchive = FALSE > > UserProtected = FALSE > > UseExistingKeySet = FALSE > > ProviderName = "Microsoft RSA SChannel Cryptographic Provider" > > ProviderType = 12 > > RequestType = PKCS10 > > KeyUsage = 0xa0 > > > > [Extensions] > > 2.5.29.17 = "dns=ad.winauth.mydomain.net&" > > _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydo > main,DC=net&" > > _continue_ = "ipaddress=192.168.1.1&" > > > I reviewed the suggested log, thank you, which clearly showed DogTag complaining about something being provided in the CSR. I couldn't interpret exactly what was the problem but I removed the one thing I had never done before, the [Extensions] stanza with the SAN. I successfully submitted! What is the correct method to provide a 'Subject Alternative Name" in a CSR to DogTag? Or am I going about this all wrong? I was intending to provide FQDN, IP address, and DN in the SAN. Thank you, Richard > > [EnhancedKeyUsageExtension] > > OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication > > ======================================== >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
