Sign an OpenSSL .CSR with Microsoft Certificate Authority

Posted by kce on Server Fault See other posts from Server Fault or by kce
Published on 2012-01-17T23:53:10Z Indexed on 2012/04/10 5:32 UTC
Read the original article Hit count: 799

I'm in the process of building a Debian FreeRadius server that does 802.1x authentication for domain members. I would like to sign my radius server's SSL certificate (used for EAP-TLS) and leverage the domain's existing PKI. The radius server is joined to domain via Samba and has a machine account as displayed in Active Directory Users and Computers. The domain controller I'm trying to sign my radius server's key against does not have IIS installed so I can't use the preferred Certsrv webpage to generate the certificate. The MMC tools won't work as it can't access the certificate stores on the radius server because they don't exist. This leaves the certreq.exe utility.

I'm generating my .CSR with the following command:

openssl req -nodes -newkey rsa:1024 -keyout server.key -out server.csr

The resulting .CSR:

******@mis-ke-lnx:~/G$ openssl req -text -noout -in mis-radius-lnx.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Alaska, L=CITY, O=ORG, OU=DEPT, CN=ME/emailAddress=MYEMAIL
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a8:b3:0d:4b:3f:fa:a4:5f:78:0c:24:24:23:ac:
                    cf:c5:28:af:af:a2:9b:07:23:67:4c:77:b5:e8:8a:
                    08:2e:c5:a3:37:e1:05:53:41:f3:4b:e1:56:44:d2:
                    27:c6:90:df:ae:3b:79:e4:20:c2:e4:d1:3e:22:df:
                    03:60:08:b7:f0:6b:39:4d:b4:5e:15:f7:1d:90:e8:
                    46:10:28:38:6a:62:c2:39:80:5a:92:73:37:85:37:
                    d3:3e:57:55:b8:93:a3:43:ac:2b:de:0f:f8:ab:44:
                    13:8e:48:29:d7:8d:ce:e2:1d:2a:b7:2b:9d:88:ea:
                    79:64:3f:9a:7b:90:13:87:63
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        35:57:3a:ec:82:fc:0a:8b:90:9a:11:6b:56:e7:a8:e4:91:df:
        73:1a:59:d6:5f:90:07:83:46:aa:55:54:1c:f9:28:3e:a6:42:
        48:0d:6b:da:58:e4:f5:7f:81:ee:e2:66:71:78:85:bd:7f:6d:
        02:b6:9c:32:ad:fa:1f:53:0a:b4:38:25:65:c2:e4:37:00:16:
        53:d2:da:f2:ad:cb:92:2b:58:15:f4:ea:02:1c:a3:1c:1f:59:
        4b:0f:6c:53:70:ef:47:60:b6:87:c7:2c:39:85:d8:54:84:a1:
        b4:67:f0:d3:32:f4:8e:b3:76:04:a8:65:48:58:ad:3a:d2:c9:
        3d:63


I'm trying to submit my certificate using the following certreq.exe command:

certreq -submit -attrib "CertificateTemplate:Machine" server.csr

I receive the following error upon doing so:

RequestId: 601
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module


My certificate authority has the following certificate templates available. If I try to submit by certreq.exe using "CertificiateTemplate:Computer" instead of "CertificateTemplate:Machine" I get an error reporting that "the requested certificate template is not supported by this CA."

cert authority


My google-foo has failed me so far on trying to understand this error... I feel like this should be a relatively simple task as X.509 is X.509 and OpenSSL generates the .CSRs in the required PKCS10 format. I can't be only one out there trying to sign a OpenSSL generated key on a Linux box with a Windows Certificate Authority, so how do I do this (perferably using the off-line certreq.exe tool)?

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about debian