我正在尝试为新的 Windows AD CS Enterprise Subordinate CA(Windows Server 2019)手动创建密钥和 CSR。
我想将密钥存储在现代Microsoft 软件密钥存储提供商。
它失败了Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)
。
我使用的命令是:certreq.exe -new C:\requestconfig.inf C:\certificate.req
该C:\requestconfig.inf
文件是这样的:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=My Subordinate CA"
HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Subordinate CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = PKCS10
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)"
[RequestAttributes]
CertificateTemplate = SubCA
[Extensions]
2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0
故障排除步骤
我通过运行以下命令检查了 CSP 是否有效certutil -csplist
:
[...]
Provider Name: Microsoft Strong Cryptographic Provider
Provider Type: 1 - PROV_RSA_FULL
Provider Name: Microsoft Software Key Storage Provider
Provider Name: Microsoft Passport Key Storage Provider
[...]
它没有提供程序类型,但是尽管如此,我ProviderType = 0
还是将其添加ProviderType = 1
到配置中,但无济于事。
我能够使用非常相似的配置来创建我的根证书:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=My Root CA"
HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 4096
;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Root CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = Cert
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)
[Extensions]
2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0
主要区别在于,使用此配置,我创建了密钥和证书,而不是密钥和 CSR。区别在于:RequestType
是Cert
和 不是PKCS10
,并且它没有RequestAttributes
部分。此配置没有失败NTE_PROV_TYPE_NOT_DEF
。
什么原因导致我的子 CA 配置突然失败?
答案1
您必须添加:
KeySpec=0
至NewRequest
部分。certreq 默认为,AT_EXCHANGE
而 CNG 提供商不支持 KeySpec。
只是出于好奇,为什么您不使用 ADCS CA 安装向导来生成 CA 请求?