0

I'm using an Enrollment Agent user certificate to amend CSRs (in order to add SANs)

My method is working fine - using the following command:

certreq -config "CertAuth" -policy "PathtoCSR" "Path to SanDetails.inf" "NewCSROutputPath"

But when I submit the request it first prompts me for a Smart Card:

SmartCardPrompt Image

If I cancel this prompt it then prompts for the Enrollment Agent user certificate I have on my PC:

Enrollment Cert Prompt Image

Is there a way to avoid the Smart Card prompt? Can I do this by specifying a CSP in the template?

Is there also a way to avoid the confirmation prompt for the user certificate?

As per comments below - I have confirmed the syntax for specifying the certificate to use is correct as:

certreq -config "CertAuth" -policy -cert "thumbprint" "PathtoCSR" "Path to SanDetails.inf" "NewCSROutputPath

However I am still getting the Smart Card prompt. We do not and have never had smart cards in our organisation.

Scepticalist
  • 131
  • 1
  • 8
  • Add `-cert` parameter to explicitly specify certificate name (serial number or thumbprint, for example). – Crypt32 Aug 15 '18 at 10:28
  • Hmmm, I thought of that but was hoping to avoid as this is part of a script and would be run by any one of a number of administrators. I'd have to query their certificate store for the details. – Scepticalist Aug 15 '18 at 10:33
  • Then you cannot prevent this popup. Certreq attempts to find suitable signing certificate silently. However, you have installed smart card driver and middlevare and when certreq queries the smart card, a popup is invoked. The only way to avoid the popup is to specify signing cert explicitly. – Crypt32 Aug 15 '18 at 10:37
  • Ok, many thanks - I'll use Powershell to query the local certificate store for the thumbprint of the certificate with Request Agent enhanced usage. – Scepticalist Aug 15 '18 at 10:45
  • Right, this one has me stumped - whereabouts in the syntax do I Insert the correct thumbprint? This seems correct from the help documentation, but still prompts for a certificate certreq -config "CertAuth" -policy -cert "thumbprint" "PathtoCSR" "Path to SanDetails.inf" "NewCSROutputPath" – Scepticalist Aug 15 '18 at 11:16
  • Windows caches the smart card certificate. Try removing the smart card and delete the cached certificate using certmgr.msc. – Greg Askew Aug 15 '18 at 11:31
  • Thats the thing. We don;t have smart cards and there are no certificates for them. I've verified that the syntax is correct as per my edited question - but it still prompts for smartcard before using the certificate named in the request. Therefore my original question still stands - how to remove the smartcard prompt. – Scepticalist Aug 15 '18 at 11:39
  • What is the number of computers that you have verified this behavior? – Greg Askew Aug 15 '18 at 22:55
  • Received it on 3 separate computers so far - all Win10 – Scepticalist Aug 21 '18 at 09:19
  • I am have the same exact issue, and for me, even putting the thumbprint in does not prevent the certificate selection pop up. So having two popups is a pain. Did you ever find a way to prevent the smartcard popup? – tomohulk Jul 31 '19 at 17:30
  • No, I eventually had to write notification into the script telling the user to cancel the Smartcard prompt. Microsoft really need some native Powershell commands for this process. – Scepticalist Aug 01 '19 at 07:01
  • yeah, thats terrible. you are right microsoft really does need something for this. One last thing, you use `-cert [EACertThumbprint]` and it auto selects the EA cert when resigning? because i can’t seem to get that work. I can i guess settle on 1 prompt, but i really don’t want 2 prompts. – tomohulk Aug 02 '19 at 12:49

0 Answers0