Cannot Request SmartCard Certs on Behalf of Users

Question

Cannot Request SmartCard Certs on Behalf of Users

I am creating a service to get users smartcards in a SmartCard only domain (So I can't pass the user's authentication since they haven't enrolled to smartcard so i use other authentication methods to authenticate the user) and then the user sends me his CSR but when I try to create the certificate on behalf of the User I get the following error:

"CertEnroll::CX509Enrollment::Enroll: This type of certificate can be issued only to a user.: The specified role was not configured for the application 0x8004e00c (-2147164148 CONTEXT_E_ROLENOTFOUND)"

I created a Service Account that has access to the Enrollment Agent Certificate and created a certificate for that Account. I also created a smartcard template that requires an enrollment agent certificate signature to request the certificate on behalf of users and gave that service account full access to that template as well. The application runs under in IIS Application Pool that uses that service account as the identity, and I request the certificate using this code (it uses the CERTENROLLLib):

_cSignerCertificateWrapper.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));
var innerRequest = new CX509CertificateRequestPkcs10Class();
innerRequest.InitializeDecode("ContextMachine", EncodingType.XCN_CRYPT_STRING_BINARY);
innerRequest.InitializeDecode(request);

_cx509CertificateRequestCmcWrapper.InitializeFromInnerRequestTemplateName(innerRequest, templateName);
_cx509CertificateRequestCmcWrapper.RequesterName = requesterName;
_cx509CertificateRequestCmcWrapper.SignerCertificate = _cSignerCertificateWrapper.WrappedObject;
_cx509CertificateRequestCmcWrapper.Encode();

_cx509EnrollmentWrapper.InitializeFromRequest(_cx509CertificateRequestCmcWrapper.WrappedObject);

try
{
    _cx509EnrollmentWrapper.Enroll();
}

I also switched the IIS account to run under my user and I still get the error. do I have to somehow authenticate into the CA or does it use my IIS identity for the request (I did verify that it is running under the context by checking the output of this System.Security.Principal.WindowsIdentity.GetCurrent().Name)?

c#

.net

x509certificate

certificate-authority

certenroll

asked on Stack Overflow Apr 11, 2019 by

pudm • edited Apr 11, 2019 by

vik_78

1 Answer

you are getting the certificate as machine context, change this line:

_cSignerCertificateWrapper.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));

to:

_cSignerCertificateWrapper.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));

and remove this line

innerRequest.InitializeDecode("ContextMachine", EncodingType.XCN_CRYPT_STRING_BINARY);

answered on Stack Overflow Apr 17, 2019 by

Tacot

User contributions licensed under CC BY-SA 3.0