On Tue, Oct 17, 2017 at 5:03 PM, Fraser Tweedale <ftweedal@redhat.com> wrote:

On Tue, Oct 17, 2017 at 02:21:41PM -0700, Richard Harmonson wrote:
> I created a certificate request using certreq.exe and the prerequisite
> request.info on a Windows Server 2012R2 DC--references and details given
> below.
>
> However, I receive the error "Sorry, your request is not submitted. The
> reason is "Invalid Request." when attempting to submit "Manual Server
> Certificate Enrollment" it to my Root CA.
>
> Am I using the wrong template profile? Is there a template that supports
> OID=1.3.6.1.5.5.7.3.1?
>
Yes, this OID is configured in the server certificate profile. You
don't need to include it in the CSR (but it doesn't hurt).

There is something about the request that Dogtag does not like.
Could you attach the CSR itself and/or the relevant portion of the
/var/log/pki/pki-tomcat/ca/debug log file?

Thanks,
Fraser

>
> Currently using PKI/Dogtag 10.3, but I did update to 10.4, briefly, then
> recovered from snap/backup to 10.3 for the error persisted with 10.4.
>
>
> These are my primary references:
>
> https://support.microsoft.com/en-us/help/321051/how-to-
> enable-ldap-over-ssl-with-a-third-party-certification-authority
>
> https://technet.microsoft.com/en-us/library/ff625722(v=ws.
> 10).aspx#BKMK_Certreq
>
> Created the CSR by executing "certreq -new request.inf request.csr"
>
> The request.inf follows:
>
> ========================================
> [Version]
>
> Signature="$Windows NT$
>
> [NewRequest]
> Subject = "CN=ad.winauth.mydomain.net"
> KeySpec = 1
> KeyLength = 2048
> Exportable = TRUE
> MachineKeySet = TRUE
> SMIME = False
> PrivateKeyArchive = FALSE
> UserProtected = FALSE
> UseExistingKeySet = FALSE
> ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> ProviderType = 12
> RequestType = PKCS10
> KeyUsage = 0xa0
>
> [Extensions]
> 2.5.29.17 = "dns=ad.winauth.mydomain.net&"
> _continue_ = "dn=CN=AD,OU=Domain Controllers,DC=winauth,DC=mydomain,DC=net&"
> _continue_ = "ipaddress=192.168.1.1&"
>

I reviewed the suggested log, thank you, which clearly showed DogTag complaining about something being provided in the CSR. I couldn't interpret exactly what was the problem but I removed the one thing I had never done before, the [Extensions] stanza with the SAN.

I successfully submitted!

What is the correct method to provide a 'Subject Alternative Name" in a CSR to DogTag? Or am I going about this all wrong? I was intending to provide FQDN, IP address, and DN in the SAN.

Thank you,

Richard

> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
> ========================================