Sign an OpenSSL .CSR with Microsoft Certificate Authority

3

I'm in the process of building a Debian FreeRadius server that does 802.1x authentication for domain members. I would like to sign my radius server's SSL certificate (used for EAP-TLS) and leverage the domain's existing PKI. The radius server is joined to domain via Samba and has a machine account as displayed in Active Directory Users and Computers. The domain controller I'm trying to sign my radius server's key against does not have IIS installed so I can't use the preferred Certsrv webpage to generate the certificate. The MMC tools won't work as it can't access the certificate stores on the radius server because they don't exist. This leaves the certreq.exe utility.

I'm generating my .CSR with the following command:

openssl req -nodes -newkey rsa:1024 -keyout server.key -out server.csr

The resulting .CSR:

******@mis-ke-lnx:~/G$ openssl req -text -noout -in mis-radius-lnx.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Alaska, L=CITY, O=ORG, OU=DEPT, CN=ME/emailAddress=MYEMAIL
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a8:b3:0d:4b:3f:fa:a4:5f:78:0c:24:24:23:ac:
                    cf:c5:28:af:af:a2:9b:07:23:67:4c:77:b5:e8:8a:
                    08:2e:c5:a3:37:e1:05:53:41:f3:4b:e1:56:44:d2:
                    27:c6:90:df:ae:3b:79:e4:20:c2:e4:d1:3e:22:df:
                    03:60:08:b7:f0:6b:39:4d:b4:5e:15:f7:1d:90:e8:
                    46:10:28:38:6a:62:c2:39:80:5a:92:73:37:85:37:
                    d3:3e:57:55:b8:93:a3:43:ac:2b:de:0f:f8:ab:44:
                    13:8e:48:29:d7:8d:ce:e2:1d:2a:b7:2b:9d:88:ea:
                    79:64:3f:9a:7b:90:13:87:63
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        35:57:3a:ec:82:fc:0a:8b:90:9a:11:6b:56:e7:a8:e4:91:df:
        73:1a:59:d6:5f:90:07:83:46:aa:55:54:1c:f9:28:3e:a6:42:
        48:0d:6b:da:58:e4:f5:7f:81:ee:e2:66:71:78:85:bd:7f:6d:
        02:b6:9c:32:ad:fa:1f:53:0a:b4:38:25:65:c2:e4:37:00:16:
        53:d2:da:f2:ad:cb:92:2b:58:15:f4:ea:02:1c:a3:1c:1f:59:
        4b:0f:6c:53:70:ef:47:60:b6:87:c7:2c:39:85:d8:54:84:a1:
        b4:67:f0:d3:32:f4:8e:b3:76:04:a8:65:48:58:ad:3a:d2:c9:
        3d:63


I'm trying to submit my certificate using the following certreq.exe command:

certreq -submit -attrib "CertificateTemplate:Machine" server.csr

I receive the following error upon doing so:

RequestId: 601
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module


My certificate authority has the following certificate templates available. If I try to submit by certreq.exe using "CertificiateTemplate:Computer" instead of "CertificateTemplate:Machine" I get an error reporting that "the requested certificate template is not supported by this CA."

cert authority


My google-foo has failed me so far on trying to understand this error... I feel like this should be a relatively simple task as X.509 is X.509 and OpenSSL generates the .CSRs in the required PKCS10 format. I can't be only one out there trying to sign a OpenSSL generated key on a Linux box with a Windows Certificate Authority, so how do I do this (perferably using the off-line certreq.exe tool)?

windows-server-2003
debian
openssl
radius
certificate-authority
asked on Server Fault Jan 17, 2012 by (unknown user) • edited Jan 18, 2012 by (unknown user)

1 Answer

2

kce, what the previous poster is hinting at is to verify the properties of the Machine template. It can be found at the 'Certificate Templates' snap-in. Find that template's properties and on the 'Subject Name' tab are the settings on how the Subject Name should be provided to the CA (e.g. 'Supplied in the request' or 'Built from information in Active Directory'.

answered on Server Fault Apr 10, 2012 by captcha

User contributions licensed under CC BY-SA 3.0