The IX509CertificateRequestPkcs10 InitializeFromTemplateName adventure

This week has been researches, tests and headaches to be able to make request on a Certificate Authority server from a web application.

My client has a Win server 2008 CA server for my developments

On this server I have a certificate template named “User Template”

Certificate_server_templates

My assignment was to request a certificate via an ASP.NET application.

After researches on how to do that, I found this blog post that helped me a lot : http://blogs.msdn.com/alejacma/archive/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c.aspx

In my development environment, I create a request for a certificate by using  this code

 CERTENROLLLib.CX509CertificateRequestPkcs10Class request = new CERTENROLLLib.CX509CertificateRequestPkcs10Class();
 string templateName = "User Template";
 try
 {
    request.InitializeFromTemplateName(CERTENROLLLib.X509CertificateEnrollmentContext.ContextUser, templateName);
 }
 catch (Exception ex)
 {
   log.DebugFormat("Error InitializeFromTemplateName : message {0}, inner : {1}, stack : {2}, source : {3}, target : {4} ",
    ex.Message,
    ex.InnerException,
    ex.StackTrace,
    ex.Source,
    ex.TargetSite);
 }

And it worked just fine !

Then we moved the published solution to the staging environment, and the problems arrived . . .

It didn’t worked !

The error message said:

“CertEnroll::CX509CertificateRequestPkcs10::InitializeFromTemplateName: The requested certificate template is not supported by this CA. 0×80094800 (-2146875392)”

stack :

“at CERTENROLLLib.CX509CertificateRequestPkcs10Class.InitializeFromTemplateName(X509CertificateEnrollmentContext Context, String strTemplateName)”

cererror

We checked the security everywhere ( CA server, Certificate templates, IIS Account, …), give access to everyone on the CA, on the template, … without any success

Then, after days and hours of search and tests, I decided to re-read the method documentation : http://msdn.microsoft.com/en-us/library/aa377533%28v=VS.85%29.aspx

And I noticed the second parameter description:

strTemplateName [in]
Pointer to a BSTR variable that contains the Common Name (CN) of the template as it appears in Active Directory or the dotted decimal object identifier.

I had never tried using the dotted decimal object identifier, so i give it a shot.

I retrieved the object identifier on a certificate previously created with the “User Template”

On the CA server, I had a certificate request with the template “User Template”, so I right-click on it, go to All Tasks and click on the “View attributes/Extensions. . .” menu item.

image

image

A property windows opened, I go to the Extensions tab and click on the “Certificate Template Information” item.

image

In the information panel, I can see the famous dotted decimal object identifier between brackets.

I copy-paste this identifier in my code :

 CERTENROLLLib.CX509CertificateRequestPkcs10Class request = new CERTENROLLLib.CX509CertificateRequestPkcs10Class();
 string templateName = "1.3.6.1.4.1.311.21.8.3531346.8488945.6374567.164989.5001604.52.12582268.10747996";
 try
 {
    request.InitializeFromTemplateName(CERTENROLLLib.X509CertificateEnrollmentContext.ContextUser, templateName);
 }
 catch (Exception ex)
 {
    log.DebugFormat("Error InitializeFromTemplateName : message {0}, inner : {1}, stack : {2}, source : {3}, target : {4} ",
      ex.Message,
      ex.InnerException,
      ex.StackTrace,
      ex.Source,
      ex.TargetSite);
 }

I compiled, I tried in the development environment and it worked !!

(note: there is just a minimal change in my code since I put the “templateName” in a configuration file in order to be able to modify it)

So we moved the published solution to the staging environment,

retrieve the dotted decimal object identifier corresponding to the “User Template” on the staging CA server,

copy-pasted this identifier in the configuration file,

executed a “IISRESET” command and try to execute the application.

And it worked !

We can’t figured out why it worked in the development environment but not in the staging one while both are equals. So If anyone knows about it, please let me know.

So, don’t trust the template name and use the object identifier !

Incoming search terms:

  • CX509CertificateRequestPkcs10Class
  • ix509
  • InitializeFromTemplateName
  • ix509certificaterequestpkcs10 c#
  • Certenrolllib Template
  • CX509CertificateRequestCmcClass
  • TheIX509CertificateRequestPkcs10InitializeFromTemplateNameadventure
  • cx509certificaterequestpkcs10class msdn
  • CERTENROLLLib X509CertificateEnrollmentContext ContextUser
  • InitializeFromTemplateName certenroll