Tuesday, 10 November 2015

Microsoft Windows Server 2008 R2 - Certification Authority and the Missing Template

I'm trying to automate the setup of a Public Key Infrastructure (PKI) using MS Windows Server 2008, in order to understand, document and automate the process of using AD to sign certificates for WebSphere Application Server (WAS), IBM HTTP Server, DB2 etc.

As part of this, I've generated a Certificate Request on my WAS VM: -

AdminTask.createCertificateRequest('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):'+cellID+' -certificateAlias nemdemo.uk.ibm.com -certificateSize 2048 -certificateCommonName nemdemo.uk.ibm.com -certificateOrganization -certificateOrganizationalUnit -certificateLocality -certificateState -certificateZip -certificateCountry -certificateRequestFilePath /home/wasadmin/nemdemo.req -signatureAlgorithm SHA256withRSA ]')

and have sent the generated file - nemdemo.req - to my AD server ( thanks pscp.exe ).

From there, I then attempted to generate a certificate: -

certreq nemdemo.req

which, alas, failed with: -

CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

CertError: lib\policyserverlist.cpp(858): _GetStringProperty: error 0x80094004 (
-2146877436)
CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

Active Directory Enrollment Policy
  {30823ACA-B85B-4870-9DEF-1BD6F0377089}
  ldap:
CertError: certlib\comlib.cpp(1814): get_Property(CAPropWebServers): error 0x800
94004 (-2146877436)
CertError: certlib\comlib.cpp(2393): myGetCAStringArrayProperty: error 0x8009400
4 (-2146877436)
RequestId: 39
RequestId: "39"
Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request
 does not contain a certificate template extension or the CertificateTemplate re
quest attribute.
 The request contains no certificate template information. 0x80094801 (-21468753
91)
CertError: certreq\certreq.cpp(4247): Denied(LastStatus): error 0x80094801 (-214
6875391)
CertError: certreq\certreq.cpp(4629): CallServerAndStoreCert: error 0x80094801 (
-2146875391)
CertError: certreq\certreq.cpp(14299): verbSubmitRequest: error 0x80094801 (-214
6875391)
Certificate Request Processor: The request contains no certificate template info
rmation. 0x80094801 (-2146875391)
Denied by Policy Module  0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.


CertError: certlib\main.cpp(200): ArgvMain: error 0x80094801 (-2146875391)


A quick Google search brought me here: -



I tried that, verbatim: -

certreq -submit -attrib ,,CertificateTemplate:Webserver nemdemo.req

but this again failed: -

CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

CertError: lib\policyserverlist.cpp(858): _GetStringProperty: error 0x80094004 (
-2146877436)
CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

Active Directory Enrollment Policy
  {30823ACA-B85B-4870-9DEF-1BD6F0377089}
  ldap:
CertError: certlib\comlib.cpp(1814): get_Property(CAPropWebServers): error 0x800
94004 (-2146877436)
CertError: certlib\comlib.cpp(2393): myGetCAStringArrayProperty: error 0x8009400
4 (-2146877436)
RequestId: 40
RequestId: "40"
Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request
 does not contain a certificate template extension or the CertificateTemplate re
quest attribute.
 The request contains no certificate template information. 0x80094801 (-21468753
91)
CertError: certreq\certreq.cpp(4247): Denied(LastStatus): error 0x80094801 (-214
6875391)
CertError: certreq\certreq.cpp(4629): CallServerAndStoreCert: error 0x80094801 (
-2146875391)
CertError: certreq\certreq.cpp(14299): verbSubmitRequest: error 0x80094801 (-214
6875391)
Certificate Request Processor: The request contains no certificate template info
rmation. 0x80094801 (-2146875391)
Denied by Policy Module  0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.

CertError: certlib\main.cpp(200): ArgvMain: error 0x80094801 (-2146875391)


Then I read this: -


certreq -submit -attrib "CertificateTemplate:WebServer" <Cert Request.req>

At which point, I slapped myself on the head ....

I had read the earlier post, which contained: -

,,

and read that as double-comma, where it was, in fact, double-quotes :-)

Once I tried the CORRECT syntax: -

certreq -submit -attrib "CertificateTemplate:Webserver" nemdemo.req

I got this: -

CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

CertError: lib\policyserverlist.cpp(858): _GetStringProperty: error 0x80094004 (
-2146877436)
CertError: lib\policyserverlist.cpp(835): Lookup: error 0x80094004 (-2146877436)

Active Directory Enrollment Policy
  {30823ACA-B85B-4870-9DEF-1BD6F0377089}
  ldap:
CertError: certlib\comlib.cpp(1814): get_Property(CAPropWebServers): error 0x800
94004 (-2146877436)
CertError: certlib\comlib.cpp(2393): myGetCAStringArrayProperty: error 0x8009400
4 (-2146877436)
RequestId: 41
RequestId: "41"
CertReq: ICertRequest::Submit(Issued) --> Issued
Certificate retrieved(Issued) Issued


which is MUCH better.

I then went one step further: -

certreq -submit -attrib "CertificateTemplate:Webserver" nemdemo.req nemdemo.cer

which means that I get the certificate written back to the current directory.

Now if I can eliminate this popup: -


I'd be happy as Larry.

Who is Larry ?

No comments: