Microsoft KB Archive/830056

= How to create an offline certificate request for a domain controller when you do not have direct network access to the certification authority =

PSS ID Number: 830056

Article Last Modified on 6/25/2004

-

The information in this article applies to:


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server

-



This article is superceded by the following &quot;Advanced Certificate Enrollment and Managment&quot; whitepaper:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx



IN THIS TASK

 * SUMMARY
 * Creating the .inf file
 * Windows 2000 Server stand-alone certification authority
 * Windows Server 2003 stand-alone certification authority
 * Windows Server 2003 enterprise certification authority
 * MORE INFORMATION



SUMMARY
This step-by-step article describes how to create an offline certificate request when you do not have direct network access to the certification authority (CA). You may have to create an offline certificate request in situations where a branch office domain controller has no connection to the CA.

For example, a branch office domain controller may be connected to the central site only through a firewall, and only port 25 may be open for Simple Mail Transfer Protocol (SMTP) replication. The domain controller cannot enroll a domain controller certificate, and therefore SMTP replication will fail. Because the CA is located in the central site, and the firewall is blocking RPC traffic, the branch office domain controller cannot contact the CA to enroll its certificate. In this situation, you must request the domain controller certificate offline.

To request a domain controller certificate, you typically establish a temporary virtual private network (VPN) or Internet Protocol security (IPSec) connection between the branch office domain controller and the CA in the central site. Then you request the certificate online, either by using autoenrollment or by using the Certificates Microsoft Management Console (MMC). However, sometimes you cannot follow these steps to request a domain controller certificate. For example, if your firewall or your security policy does not allow a temporary VPN or IPSec connection between the branch office domain controller and the CA in the central site, you must request the domain controller certificate offline. In these cases, you can request an offline domain controller certificate by transferring the request onto a floppy disk. You can take the floppy disk to a location in the domain where connectivity to the CA is available.

back to the top

Creating the .inf file
Note A certificate that is to be used for SMTP replication must meet the following requirements:
 * The certificate must contain the &quot;Certificate Template Name&quot; (object identifier: 1.3.6.1.4.1.311.20.2) extension. (Object identifier is also known as OID.)
 * The certificate must be set to &quot;DomainController.&quot;
 * The certificate must contain a &quot;Subject Alternative Name&quot; (object identifier: 2.5.29.17) extension that must include the GUID of the domain controller account and the fully qualified domain name (FQDN).

Typically, both extensions are automatically inserted in the certificate when you enroll the certificate online. However, when you request the domain controller certificate offline, you must provide the extensions manually in the offline request.

To create the *.inf file that will supply input information for the request, follow these steps:   Create a file and name it Dcname.inf. Copy the following code into the file: [Version] Signature= &quot;$Windows NT$&quot;

[NewRequest] Subject = &quot;CN=dcname.domain.tld&quot; KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = &quot;Microsoft RSA SChannel Cryptographic Provider&quot; ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2  Modify the following line in the Dcname.inf file to correspond with your domain controller.

Subject = &quot;CN=dcname.domain.tld&quot;

For example, if your domain is contoso.com, and your domain controller name is contoso, type CN=contoso.contoso.com . On the branch office domain controller, type the following command:

CERTREQ -new dcname.inf .req

Note The version of the Certutil.exe file that is supplied with Microsoft Windows 2000 Server does not support new options, such as the –setextension option, that are supported in the version of the Certutil.exe file that is supplied with Microsoft Windows Server 2003. However, you can run the new options on a computer that is running Windows 2000 Server if you manually copy the following files to a new folder on the Windows 2000-based server, and then run the files from a command prompt in that folder:  Certreq.exe Certutil.exe Certcli.dll Certadm.dll</li></ul>

Warning <ul> Do not replace the original files on the computer that is running Windows 2000 Server. Copy the new files to a unique folder, and then run the files from a command prompt in that folder.</li> Do not register the .dll files that you copy from the Windows Server 2003-based computer.</li></ul> </li> Copy the Dcname.req file to one of the following: <ul> A floppy disk or other type of media for eventual transfer to the CA in the central site</li> A computer in the domain with connectivity to the CA</li></ul> </li> To prepare the CA, type the following command:

CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

This command enables the CA to accept the &quot;Subject Alternative Name&quot; that you will submit in the request. If you submit more offline domain controller requests to this CA, you do not have to set the EditFlags value again. The value is persistent until you reset it to the default setting when you type CERTUTIL -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2.

Note This setting will affect all certificate requests that are submitted to your CA. The CA will recognize any certificate request that provides a &quot;Subject Alternative Name 2&quot;.

To see the localized friendly name for this object identifier, type certutil -oid 2.5.29.17. The following message is returned:2.5.29.17 -- Subject Alternative Name

CertUtil: -oid command completed successfully.

Note Use the suffix &quot;2&quot; only when you must indicate that the text refers to the szOID_SUBJECT_ALT_NAME2 (&quot;2.5.29.17&quot;) extension instead of to the obsolete szOID_SUBJECT_ALT_NAME (&quot;2.5.29.7&quot;) extension.</li> Restart the CA service. To do this, type the following commands, and then press ENTER after each command:

net stop certsvc

net start certsvc </li></ol>

Continue with one of the following methods. Select the method that matches your public key infrastructure.

back to the top

Windows 2000 Server stand-alone certification authority
If you are using a Windows 2000 Server stand-alone CA, follow these steps: <ol> Verify that the policy module of the CA is not configured to automatically issue certificates. For an enterprise CA, the template can be configured to put submitted requests in the pending state. A stand-alone CA does not support templates, and the default configuration causes all requests to be put in the pending state. When a request is in this state, an administrator must take explicit action to issue the certificate or deny the request. You may have to temporarily set this configuration and then resume typical issuance for other computers and domain controllers.

Note For an enterprise CA, the template can be configured to put submitted requests in the pending state. For a stand-alone CA, which does not support templates, the default configuration causes all requests to be put in the pending state. When a request is in this state, an administrator must take explicit action to issue the certificate or deny the request.</li> Copy the Dcname.req file that you created on a floppy disk to a location that the CA can access.</li>  Use Notepad to create a file, and then name it Dctemplate.asn1. Put the following text in the file: 1e 20 00 44 00 6f 00 6d 00 61 00 69 00 6e 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 6c 00 65 00 72 </li>  Create a file, and then name it Dcname_SAN.asn1. Put the following text in the file: 30 YY a0 1f 06 09 2b 06 01 04 01 82 37 19 01 a0 12 04 10 <GUID> 82 XX <FQDN> </li> Modify the Dcname_SAN.asn1 file so that it corresponds to your domain controller. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> In the first line, replace the second byte &quot;YY&quot; with the length of the whole extension that is represented by a hexadecimal byte. The byte must reflect the length of your FQDN plus the GUID length. Because the GUID and the other parts of the structure are of constant length, you can calculate the value by adding 35 to your FQDN length.</li> In the second line, replace <GUID> with the byte representation of the domain controller account GUID in the Active Directory domain naming context. You can use the Adsiedit.msc tool to look up the objectGUID attribute (in hexadecimal representation) from the computer object of your branch office domain controller.</li> In the third line, replace the second byte &quot;XX&quot; with the length of the domain controller's FQDN that is represented by a hexadecimal byte.</li> <li>Encode the FQDN with the ASCII byte representation of each character, and then replace the <FQDN> in the last line.</li> <li>Verify the contents of the Dcname_SAN.asn1 file. For example, if the FQDN is Dcname.domain.tld, and the GUID of the domain controller's account in the Active Directory domain naming context is {28662b67-7b64-4191-a7bd-95a74fab392c}, then the following is true: <ul> <li>The FQDN length is 17 (11 in hexadecimal).</li> <li>You add the constant 35 to the length of the FQDN, and then use 35 + 17 = 52 (34 in hexadecimal) as the length of the whole extension.</li> <li>The GUID's hexadecimal byte representation is: 67 2B 66 28 64 7B 91 41 A7 BD 95 A7 4F AB 39 2C.</li> <li> The FQDN that is encoded by its ASCII byte representation is: 64 63 6e 61 6d 65 2e 64 6f 6d 61 69 6e 2e 74 6c 64.

In this example, the Dcname_SAN.asn1 file will look similar to the following: 30 34 a0 1f 06 09 2b 06 01 04 01 82 37 19 01 a0 12 04 10 67 2B 66 28 64 7B 91 41 A7 BD 95 A7 4F AB 39 2C 82 11 64 63 6e 61 6d 65 2e 64 6f 6d 61 69 6e 2e 74 6c 64

Note These modifications will work only as long as the length of the FQDN is less than 92 characters. If the FQDN is greater than 92 characters, the whole data structure will change to follow the ASN.1 standard. In this case, Microsoft recommends that you find a more reliable method to create the binary file. </li></ul>

<ul> <li>If you already have a domain controller certificate for this domain controller, you can type CERTUTIL -v dccert.cer at a command prompt to display the contents of the certificate. You can also copy and paste the byte representation of the &quot;Subject Alternative Name&quot; extension in the certificate.

Note The Certutil.exe file is available in Windows Server 2003 or in Windows 2000 Server when you install Certificate Services.</li> <li>You can also use the CCertEncodeAltName class to implement your own application to create an ASN.1 file with the encoded SAN attribute.</li> <li>A Windows Server 2003 CA can accept the Subject Alternative Name (SAN) and the Certificate Name as an attribute in the request to make this process easier. For more information, see the Windows Server 2003 stand-alone certification authority section of this article.</li></ul> </li></ol> </li> <li>Type the following commands, where  is the ID returned by the CERTREQ –submit command, and press ENTER after each line:

CERTREQ -submit dcname.req

CERTUTIL -setextension  1.3.6.1.4.1.311.20.2 0 @dctemplate.asn1

CERTUTIL -setextension  2.5.29.17 0 @dcname_SAN.asn1

</li> <li>To use the CA MMC snap-in to issue the certificate, type the following command, where  is the ID that the CERTREQ –submit command returns, and then press ENTER.

CERTREQ -retrieve  dcname.cer dcname.p7b </li> <li>Store the retrieved certificate on a floppy disk or on other media to transfer to the domain controller.</li> <li>To install the certificate on the target domain controller, type the following command:

CERTREQ –ACCEPT dcname.cer

Or, to install the whole certificate chain, type the following command:

CERTREQ –ACCEPT dcname.p7b </li></ol>

back to the top

Windows Server 2003 stand-alone certification authority
If you are using a Windows Server 2003 stand-alone CA, follow these steps:
 * 1) Copy the Dcname.req file that you created to a location that the CA can access.
 * 2) Type the following command, where   is the GUID from the computer object of your branch office domain controller CA MMC snap-in to issue the certificate.
 * 3) Type the following command, where   is the ID that the CERTREQ –submit command returns, and then press ENTER:

CERTREQ -retrieve  dcname.cer dcname.p7b
 * 1) Store the retrieved certificate on a floppy disk or on other media to transfer to the domain controller.
 * 2) To install the certificate on the target domain controller, type the following command:

CERTREQ –ACCEPT dcname.cer

Or, to install the whole certificate chain, type the following command:

CERTREQ –ACCEPT dcname.p7b

back to the top

Windows Server 2003 enterprise certification authority
If you are using a Windows Server 2003 Enterprise CA, follow these steps: <ol> <li>Use the Adsiedit.msc tool to modify the domain controller certificate template that is found in the following container:

CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=tld

</li> <li>Set the following value:

msPKI-Certificate-Name-Flag: 268435456

Note Before you continue with the next step, you must wait until the modification has been replicated to the domain controller that the CA uses.</li> <li>Copy the Dcname.req file that you created to a location that the CA can access.</li> <li>On the CA, type the following command, where  is the GUID from the computer object of your branch office domain controller:

CERTREQ -SUBMIT -ATTRIB &quot;CertificateTemplate:DomainController\nSAN:guid= &DNS=dcname.domain.tld&quot; dcname.req dcname.cer dcname.p7b </li> <li>Copy the retrieved Dcname.cer file to the target domain controller.</li> <li>To install the certificate on the target domain controller, type the following command:

CERTREQ –ACCEPT dcname.cer

Or, to install the whole certificate chain, type the following command:

CERTREQ –ACCEPT dcname.p7b </li> <li>Enroll the offline domain controller certificates, and then use the following original value to undo the change made to the domain controller certificate template:

msPKI-Certificate-Name-Flag: 419430400

</li></ol>

Note Microsoft does not support the use of an offline domain controller certificate request from a Microsoft Windows 2000 enterprise CA. For more information, contact Microsoft Support.

back to the top

<div class="references_section">