Sign an OpenSSL .CSR with Microsoft Certificate Authority
- by kce
I'm in the process of building a Debian FreeRadius server that does 802.1x authentication for domain members. I would like to sign my radius server's SSL certificate (used for EAP-TLS) and leverage the domain's existing PKI. The radius server is joined to domain via Samba and has a machine account as displayed in Active Directory Users and Computers. The domain controller I'm trying to sign my radius server's key against does not have IIS installed so I can't use the preferred Certsrv webpage to generate the certificate. The MMC tools won't work as it can't access the certificate stores on the radius server because they don't exist.
This leaves the certreq.exe utility.
I'm generating my .CSR with the following command:
openssl req -nodes -newkey rsa:1024 -keyout server.key -out server.csr
The resulting .CSR:
******@mis-ke-lnx:~/G$ openssl req -text -noout -in mis-radius-lnx.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Alaska, L=CITY, O=ORG, OU=DEPT, CN=ME/emailAddress=MYEMAIL
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:b3:0d:4b:3f:fa:a4:5f:78:0c:24:24:23:ac:
cf:c5:28:af:af:a2:9b:07:23:67:4c:77:b5:e8:8a:
08:2e:c5:a3:37:e1:05:53:41:f3:4b:e1:56:44:d2:
27:c6:90:df:ae:3b:79:e4:20:c2:e4:d1:3e:22:df:
03:60:08:b7:f0:6b:39:4d:b4:5e:15:f7:1d:90:e8:
46:10:28:38:6a:62:c2:39:80:5a:92:73:37:85:37:
d3:3e:57:55:b8:93:a3:43:ac:2b:de:0f:f8:ab:44:
13:8e:48:29:d7:8d:ce:e2:1d:2a:b7:2b:9d:88:ea:
79:64:3f:9a:7b:90:13:87:63
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
35:57:3a:ec:82:fc:0a:8b:90:9a:11:6b:56:e7:a8:e4:91:df:
73:1a:59:d6:5f:90:07:83:46:aa:55:54:1c:f9:28:3e:a6:42:
48:0d:6b:da:58:e4:f5:7f:81:ee:e2:66:71:78:85:bd:7f:6d:
02:b6:9c:32:ad:fa:1f:53:0a:b4:38:25:65:c2:e4:37:00:16:
53:d2:da:f2:ad:cb:92:2b:58:15:f4:ea:02:1c:a3:1c:1f:59:
4b:0f:6c:53:70:ef:47:60:b6:87:c7:2c:39:85:d8:54:84:a1:
b4:67:f0:d3:32:f4:8e:b3:76:04:a8:65:48:58:ad:3a:d2:c9:
3d:63
I'm trying to submit my certificate using the following certreq.exe command:
certreq -submit -attrib "CertificateTemplate:Machine" server.csr
I receive the following error upon doing so:
RequestId: 601
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
My certificate authority has the following certificate templates available. If I try to submit by certreq.exe using "CertificiateTemplate:Computer" instead of "CertificateTemplate:Machine" I get an error reporting that "the requested certificate template is not supported by this CA."
My google-foo has failed me so far on trying to understand this error... I feel like this should be a relatively simple task as X.509 is X.509 and OpenSSL generates the .CSRs in the required PKCS10 format. I can't be only one out there trying to sign a OpenSSL generated key on a Linux box with a Windows Certificate Authority, so how do I do this (perferably using the off-line certreq.exe tool)?
