Can't create a custom CSR using mmc and certificates snap-in on Windows 10

hkc94501

8/3/24, 6:04 AM

I am trying to generate a custom CSR using the certificates snap-in for mmc on Windows 10. The certificate I want to create is a client authentication cert using ECC. However, I have run into a persistent issue that is preventing me from generating the CSR. No matter the content of the request if I use (No template) CNG key I get the error "One of more of the object's properties are missing or invalid", and the private key generation dialog is completely insensitive. So no CSR is generated.

On the other hand, if I choose (No template) Legacy Key. Then no problem but the Legacy providers don't do ECC and their protection for private keys is weaker.

I suspect that this is not a problem with the certificates snap-in but rather with the underlying certificate infrastructure for Active Directory. In researching the problem I found articles that seem to indicate that some changes were made to the certificate infrastructure of Windows Server. These links are not directly relevant to my issue but they may provide hints to someone more familiar with Windows than I.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template https://learn.microsoft.com/en-us/microsoft-identity-manager/certificate-manager-for-software-certificates

I've run out of ideas. If I can't get this to work I may resort to generating the CSR with openssl and importing the resulting cert and keys into windows.

0 + 2

windows

certificate

active-directory

ssl-certificate

mmc

Greg Askew

8/3/24, 12:02 PM

`suspect that this is not a problem with the certificates snap-in but rather with the underlying certificate infrastructure for Active Directory`. I've never used the graphical interface to create a certificate request. I always use certreq with a template file that specifies every detail. You may want to research that. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

hkc94501

8/5/24, 8:09 AM

Well that led to an interesting exploration of certreq and certutil. Can those commands be used for ECC or CNG crypto providers? On my system, and my system might be screwed up, certutil -cspdisplay shows only CryptoAPI (old system) providers. Interestingly, certutil -displayECCcurve works listing all the NIST, Brainpool, secp, and x962 curves.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can't create a custom CSR using mmc and certificates snap-in on Windows 10

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.