2

I have a small test network that includes Win2k8 R2 machines, an Enterprise CA server and an Exchange 2010 SP1 RU1 CAS server. I would like to issue a certificate for Exchange from the CA.

As the first step, I created the certificate request, which (according to OpenSSL) contains the following info:

C:\OpenSSL\bin>openssl req -in e.req -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=mail.mnet.com, OU=IT, O=MNet, L=Budapest, ST=Budapest, C=HU
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                ...snip...
                Exponent: 65537 (0x10001)
        Attributes:
            1.3.6.1.4.1.311.13.2.3   :6.1.7600.2
            1.3.6.1.4.1.311.21.20    :unable to print attribute
            1.3.6.1.4.1.311.13.2.2   :unable to print attribute
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:cas.int.mnet.com, DNS:mail.mnet.com, DNS:autodiscover.mnet.com, DNS:pop.int.mnet.com, DNS:imap.int.mnet.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                F0:7E:53:47:BE:04:0F:5C:78:FD:63:8C:D6:5C:BC:0D:45:A3:4F:48
    Signature Algorithm: sha1WithRSAEncryption
        ...snip...

As the second step, I would like to submit this request to the CA, but I get the following message:

The request contains no certificate information.

Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.

What would be the best way to get this working?

How should I generate the same request from Exchange to include the info on which certificate to use?

How should I convince the CA to issue the certificate, even if the request doesn't match a certificate template?

(I'm actually interested in the answer to all three questions to learn more about both Exchange and the CA services.)

maweeras
  • 2,734
  • 2
  • 17
  • 23
Zizzencs
  • 947
  • 1
  • 10
  • 22

1 Answers1

3

Please use the wizard that Exchange 2010 so helpfully provides for you - it's much easier.

It's in the Exchange Management Console under Server Configuration. In the Action Pane, choose the New Exchange Certificate wizard.

Fill in the required info, submit the generated file to your Enterprise CA using the Web Server template, then import the generated certificate back into Exchange using the wizard.

You might find this video helpful.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • How can I "submit the generated file to your Enterprise CA using the Web Server template"? I mean, I can submit the reqest to the CA, but how can I assign the template to it? – Zizzencs Dec 14 '10 at 16:24
  • Your Enterprise CA usually has a web interface accessed via `http:///certsrv` - from there you can request a certificate. If you watch through the video I linked, it shows you the options you need to choose (including the Web Server template). – Ben Pilbrow Dec 14 '10 at 16:26
  • Thanks. For some reason I don't always have the option "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file." in the Advanced Certificate Reqest tab. I might be missing some access rights. – Zizzencs Dec 14 '10 at 16:41
  • How do you do this in Exchange 2007? I don't think it has that wizard. – Neil Jun 21 '12 at 23:58