OSLEE
asked on
LDAPS on DC with Internal CA
I have decided to take the path of setting up an Internal Enterprise CA to enable LDAPS on our DC as I'm unable to get it working with a third party CA due to us not owning our domain externally.
I have created the certificate request by following MS article.
http://support.microsoft.com/kb/321051/en-us
This is the only article I can find for enableing LDAPS on a DC on the MS site. It does state it's specifically for third party certificate though
When I try to submit it to our internal CA, I get the below error. From what I can understand is that I don't have the correct template for the request I'm using.
Certificate Services denied request 5 because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for CN=xxx.xxxx.xx, C=xx, S=xxxxxxx, L=xxxxx, O=xxxx, OU=xx. Additional information: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
Can anybody help me get around this? What are the correct steps I need to take to make LDAPS work on my DC with and internal CA?
Thank you for your help
I have created the certificate request by following MS article.
http://support.microsoft.com/kb/321051/en-us
This is the only article I can find for enableing LDAPS on a DC on the MS site. It does state it's specifically for third party certificate though
When I try to submit it to our internal CA, I get the below error. From what I can understand is that I don't have the correct template for the request I'm using.
Certificate Services denied request 5 because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for CN=xxx.xxxx.xx, C=xx, S=xxxxxxx, L=xxxxx, O=xxxx, OU=xx. Additional information: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
Can anybody help me get around this? What are the correct steps I need to take to make LDAPS work on my DC with and internal CA?
Thank you for your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may have firewall issues going to the CA. You can also take out the -config CASERVER.DNS.NAME\CAName portion if you process directly on the CA server.
Did you enable the SAN on the CA, and restart cert services afterwords? SAN should be entered in the Attributes box as:
SAN:DNS="server1.domain.co
Make sure to include the subject name in the CSR in the SAN list as well - it is usually best to have that as the first entry, the ordering of the rest is less important.
You can validate the integrity of the CSR file with "certutil -dump filename.csr | more" - there will be stuff all over the place for text, but ti should be in a somewhat readable format. If it has a bunch of hex on the left and characters on the right then it is corrupt. A good one will look kind of like this at the beginning:
C:\CertTemp>certutil -dump test.csr | more
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
PKCS10 Certificate Request:
Version: 1
Subject:
CN=server1.domain.com (include this in the SAN as well)
OU=Dept Name
O=Company Name
L=Locality (City)
S=State
C=Country Abbreviation
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 11 22 33 44 55 66 77 88 99 00 aa bb cc dd ee ff
--and so on--
Did you enable the SAN on the CA, and restart cert services afterwords? SAN should be entered in the Attributes box as:
SAN:DNS="server1.domain.co
Make sure to include the subject name in the CSR in the SAN list as well - it is usually best to have that as the first entry, the ordering of the rest is less important.
You can validate the integrity of the CSR file with "certutil -dump filename.csr | more" - there will be stuff all over the place for text, but ti should be in a somewhat readable format. If it has a bunch of hex on the left and characters on the right then it is corrupt. A good one will look kind of like this at the beginning:
C:\CertTemp>certutil -dump test.csr | more
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
PKCS10 Certificate Request:
Version: 1
Subject:
CN=server1.domain.com (include this in the SAN as well)
OU=Dept Name
O=Company Name
L=Locality (City)
S=State
C=Country Abbreviation
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 11 22 33 44 55 66 77 88 99 00 aa bb cc dd ee ff
--and so on--
ASKER
Hi Paranormastic
Apologies for not explaining well what I had completed earlier.
I'm sure I don't have any firewall issues.
I also enabled SAN on the CA and restarted the services.
I'm unable to put the SAN attributes in the web form box as I received the "An unexpected error has occurred" as soon as I press request a certificate link. I suspect and IIS perms or similar.
I'll a squizz around but if you have any suggestions in the mean time, please let me know
Thank you
Apologies for not explaining well what I had completed earlier.
I'm sure I don't have any firewall issues.
I also enabled SAN on the CA and restarted the services.
I'm unable to put the SAN attributes in the web form box as I received the "An unexpected error has occurred" as soon as I press request a certificate link. I suspect and IIS perms or similar.
I'll a squizz around but if you have any suggestions in the mean time, please let me know
Thank you
ASKER
Correction.. The error occurs on the second page of the web submission when I click
"Create and submit a request to this CA"
On another note, I've also checked the CSR file with certutil -dump and it looks good.
"Create and submit a request to this CA"
On another note, I've also checked the CSR file with certutil -dump and it looks good.
For submitting a CSR use the 2nd link on the 2nd page "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
You can check IIS perms and reset IIS, you can also try this:
certutil -vroot
This will recreate the web stuff.
You can check IIS perms and reset IIS, you can also try this:
certutil -vroot
This will recreate the web stuff.
ASKER
Upon using the second link, I receive the message
"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"
I've followed this article
http://support.microsoft.com/kb/811418
and the two values the suggest I check are identical
I've then run the "certutil -vroot" and restarted the IIS services to rebuild the web stiff however still the same problem.
Maybe a fresh build of the certificate server is needed? the error I'm receiving now is very similar to the original error regarding the missing templates.
I'll keep at it for a little longer but if you have any further suggestions just post them through.
Thanks for you help so far
"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"
I've followed this article
http://support.microsoft.com/kb/811418
and the two values the suggest I check are identical
I've then run the "certutil -vroot" and restarted the IIS services to rebuild the web stiff however still the same problem.
Maybe a fresh build of the certificate server is needed? the error I'm receiving now is very similar to the original error regarding the missing templates.
I'll keep at it for a little longer but if you have any further suggestions just post them through.
Thanks for you help so far
If you open certtmpl.msc do you see windows 2000 and windows 2003 templates listed?
If you open certsrv.msc on the CA (or redirect to the CA from your workstation - requires xp with adminpak or is standard with vista) - expand CAName and select Certificate Templates folder - do you see the desired template(s) listed? If not rightclick the Cert Tmeplates folder - new - certificate template to issue... - select a template.
To support templates you should have an enterprise edition OS with an enterprise CA (root or preferably subordinate). Your AD should hopefully be at least 2003 native mode.
Was this CA upgraded in-place from a standard edition to enterprise? If so, let me know so I can show you how to update the SKU for the CA to work right.
If you open certsrv.msc on the CA (or redirect to the CA from your workstation - requires xp with adminpak or is standard with vista) - expand CAName and select Certificate Templates folder - do you see the desired template(s) listed? If not rightclick the Cert Tmeplates folder - new - certificate template to issue... - select a template.
To support templates you should have an enterprise edition OS with an enterprise CA (root or preferably subordinate). Your AD should hopefully be at least 2003 native mode.
Was this CA upgraded in-place from a standard edition to enterprise? If so, let me know so I can show you how to update the SKU for the CA to work right.
ASKER
Thank you for your assitance all. After a certificate server rebuild and following the article http://support.microsoft.com/kb/931351, I was able to successfully issue a working certificate to our DC.
I configured the CA to accept a SAN attribute
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALT
net stop certsvc
net start certsvc
Then used the Certreq.exe utility to create and submit a certificate request that includes a SAN with the below command in this order.
certreq -new request.inf certnew.req
certreq -submit certnew.req certnew.cer
certreq -retrieve RequestID certnew.cer
certreq -accept certnew.cer
BINGO!! I was able to connect to SSL LDAP !
Thank you again
I configured the CA to accept a SAN attribute
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALT
net stop certsvc
net start certsvc
Then used the Certreq.exe utility to create and submit a certificate request that includes a SAN with the below command in this order.
certreq -new request.inf certnew.req
certreq -submit certnew.req certnew.cer
certreq -retrieve RequestID certnew.cer
certreq -accept certnew.cer
BINGO!! I was able to connect to SSL LDAP !
Thank you again
ASKER
After working through quite a few errors, I've managed to get as far as the below
Using the first command I successfully created the ldaps.csr
The second command when populated with the correct attribute gives me "RPC Server is unavailable"
trying the alternative way via the webpage method to add the SAN attribute I receive the message
"Error
An unexpected error has occurred"
I can't see anything relevent within the event logs
Thank you for your response.