Geek Answers Handbook

Template parameter in InitializeFromPrivateKey () of object CX509CertificateRequestPkcs10 throws an exception when trying a specific template

I'm having a problem with specifying a template parameter in InitializeFromPrivateKey () of the X509Enrollment.CX509CertificateRequestPkcs10 object. Everything, except for the "User" template, leads to the following exception: -

CertEnroll :: CX509CertificateRequestPkcs10 :: InitializeFromPrivateKey: The requested certificate template is not supported by this certification authority. 0x80094800 (-2146875392)

There is a special certificate template that I need to use, and when I try it, the code throws an exception. The template exists in the CA and on the client machine, which runs the following code.

Javascript code as follows:

<script type="text/javascript"> var sCertificate = null; var sDistinguishedName = "C=\"\";S=\"\";L=\"\";O=\"XXXXX\";OU=\"XXXXXXX\";E=\" XXXXX@XXXX.com \";CN=\"xxxxxxx\";"; var template = "RegistrationCert"; //Anything Other than "User" fails, have tried template Oid too. var classFactory = new ActiveXObject("X509Enrollment.CX509EnrollmentWebClassFactory"); var objEnroll = classFactory.CreateObject("X509Enrollment.CX509Enrollment"); var objPrivateKey = classFactory.CreateObject("X509Enrollment.CX509PrivateKey"); var objRequest = classFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10"); var objDN = classFactory.CreateObject("X509Enrollment.CX500DistinguishedName"); objPrivateKey.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"; objPrivateKey.KeySpec = "1"; objPrivateKey.ProviderType = "1"; try { objRequest.InitializeFromPrivateKey(1, objPrivateKey, template); objDN.Encode(sDistinguishedName, 0); objRequest.Subject = objDN; objEnroll.InitializeFromRequest(objRequest); sCertificate = objEnroll.CreateRequest(1); document.writeln(sCertificate); } catch (ex) { document.writeln(ex.description); } </script>

A couple of other questions
- I assume that the template should exist on the client machine? Otherwise, how do I know the location of the CA to request templates?
- Does the CertEnroll on the client even work against the Windows 2003 CA server?

If you can help me, that would be very grateful !!!

Additional Information
- The client is Windows 7, while the MS IE9 client works as an administrator.
- The web application that hosts the above page is accessible via HTTP.
- The web application is hosted on the CA Win2003 server.

Before publishing, I looked ...
- Stackoverflow threads relative to CertEnroll + InitializeFromPrivateKey
- Blogs about using an OID template, not a template name
- MSDN / alejacma Website
- API CertEnroll on MSDN

+4
source share
2 answers

Okay, so he understood ... typical.

  • Use CX509ExtensionTemplateName and call InitializeEncode using the OID value
  • Do not specify a template parameter in InitializeFromPrivateKey.

i.e:

 var objExtensionTemplate = classFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName") objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); //empty string, don't specify template here objExtensionTemplate.InitializeEncode(template); //Specify Template as OID value! objRequest.X509Extensions.Add(objExtensionTemplate);

We checked in the CA that the request is for the specified type of template, and indeed creates a certificate only for this type.

Hope this helps someone one day.

+5
source

See also this code, where I use a new DLL that does not include the methods that you use. I also do not use “interaction types” that cause problems when deploying or creating code.

  CObjectId EkuOid = new CObjectId(); EkuOid.InitializeFromValue("1.3.6.1.4.1.311.21.8.4946465.16405226.12930948.10533807.2139545.33.5005369.11644649"); CObjectIds EkuOids = new CObjectIds(); EkuOids.Add(EkuOid); CX509ExtensionEnhancedKeyUsage eku = new CX509ExtensionEnhancedKeyUsage(); eku.InitializeEncode(EkuOids); eku.Critical = false; objPkcs10.X509Extensions.Add((CX509Extension)eku);

OID can be obtained using this method on serverfault

Alternative implementations of this code (VBS, C #, etc.) are located here.

+1
source

More articles:


All Articles