0

I used the certreq command utility (certreq -new) to generate a csr from an .inf file which I sent to an intermediate CA to be signed, using certreq -submit.

For some reason the "Issued to" field under the General tab, and the "Subject" field under the details tab has my domain user name instead of the machine FQDN (specified on the subject line in the .inf).

I am doing this to replace the self-signed RDP cert on the machine with a certificate that is signed by our CA. I understand that this can be done using GPO & by creating an RDP template, but for testing purposes I need to make sure it works on this server first and using these commands.

The Server OS is Windows Server 2016 Standard. I am running the commands from an elevated PowerShell console.

Below is the .inf file I am referencing along with the commands I am using. I appreciate any insight on this!

request.inf:

[Version] Signature="$Windows NT$"
[NewRequest]
Subject = "C=US, ST=Florida, L=Orlando, O=Disney World, CN=RDPSSL-TEST.Disney.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12 
RequestType = PKCS10
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE" 
HashAlgorithm = SHA256
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.54.1.2 ; this is for Remote Desktop Authentication
[RequestAttributes]
CertificateTemplate= DisneyRemoteDesktop

Commands:

certreq -new request.inf cert.req
certreq -submit cert.req certnew.cer certnew.pfx
Crypt32
  • 6,639
  • 1
  • 15
  • 33
redhatsamurai
  • 3
  • 7

1 Answers1

0

This is because your template is configured to build subject from Active Directory. Since you are submitting request to CA manually, you are authenticated on CA during CSR submission and CA will locate subject information from your user account. You need to change subject source in certificate template properties. For production, you will have to switch the subject source back to AD source.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • I appreciate the input. I'll investigate the template properties. Thank you! – redhatsamurai Jan 15 '20 at 19:29
  • I created another certificate template and under the "subject" tab of the template properties I selected "supply in the request". After making this change I get an error stating "The requested certificate template is not supported by this CA." I also made sure to create a security group that includes the server I am trying to get the Certificate request for ( with Read & enroll permissions). – redhatsamurai Jan 23 '20 at 14:39
  • You need to add new template to CA for issuance. – Crypt32 Jan 23 '20 at 14:56
  • Changing the option in the template and adding it to the CA worked. Thank you! – redhatsamurai Jan 24 '20 at 16:55