Submit unsigned pkcs10 to windows certificate authority


Is it possible to make a Windows Server Certificate Authority accept a PKCS10 certificate request that is unsigned? I get the following error Error Verifying Request Signature or Signing Certificate The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED). I would like for the CA to skip the signature check and just accept the request.

asked on Server Fault May 18, 2018 by Ivan Stanev

1 Answer


No, Microsoft ADCS does not support requests without a single trusted signature. That is, the request must be signed directly (signature is created by requester) or by external signers. In this case, a PKCS#10 request must be embedded in PKCS#7/CMC request and signed with authorized signing certificate.

With CertEnroll you can utilize IX509CertificateRequestCmc COM interface:

  1. load existing unsigned request to IX509CertificateRequestPkcs10 interface
  2. load PKCS10 request to IX509CertificateRequestCmc interface by using InitializeFromInnerRequestTemplateName method
  3. use IX509CertificateRequestCmc::SignerCertificates to provide external signer information (certificate)
  4. load CMC request into IX509Enrollment interface
  5. call IX509Enrollment::CreateRequest to sign and create signed request.

By the end, you will get a signed CMC request with embedded unsigned PKCS#10 request and which you can submit to CA server.

answered on Server Fault May 18, 2018 by Crypt32

User contributions licensed under CC BY-SA 3.0