创建新的 SubCA 证书失败,出现 NTE_PROV_TYPE_NOT_DEF

tag-icon tag-icon windows certificate pki private-key cryptography
创建新的 SubCA 证书失败,出现 NTE_PROV_TYPE_NOT_DEF

我正在尝试为新的 Windows AD CS Enterprise Subordinate CA(Windows Server 2019)手动创建密钥和 CSR。

我想将密钥存储在现代Microsoft 软件密钥存储提供商

它失败了Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)

我使用的命令是:certreq.exe -new C:\requestconfig.inf C:\certificate.req

C:\requestconfig.inf文件是这样的:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Subordinate CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 2048

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Subordinate CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = PKCS10
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)"


[RequestAttributes]
CertificateTemplate = SubCA


[Extensions]
2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0

故障排除步骤

我通过运行以下命令检查了 CSP 是否有效certutil -csplist

[...]
Provider Name: Microsoft Strong Cryptographic Provider
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Software Key Storage Provider

Provider Name: Microsoft Passport Key Storage Provider
[...]

它没有提供程序类型,但是尽管如此,我ProviderType = 0还是将其添加ProviderType = 1到配置中,但无济于事。

我能够使用非常相似的配置来创建我的根证书:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Root CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 4096
;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Root CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = Cert
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)


[Extensions]
2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0

主要区别在于,使用此配置,我创建了密钥和证书,而不是密钥和 CSR。区别在于:RequestTypeCert和 不是PKCS10,并且它没有RequestAttributes部分。此配置没有失败NTE_PROV_TYPE_NOT_DEF

什么原因导致我的子 CA 配置突然失败?

答案1

您必须添加:

KeySpec=0

NewRequest部分。certreq 默认为,AT_EXCHANGE而 CNG 提供商不支持 KeySpec。

只是出于好奇,为什么您不使用 ADCS CA 安装向导来生成 CA 请求?

相关内容