Share via

Signing an externally generated CSR with AD CS standalone

Arnaud_Synetis 1 Reputation point
2020-08-11T14:59:21.69+00:00

Hi,
I am currently facing a quite blocking issue regarding the signature of a CSR emitted by a non-Microsoft PKI (EJBCA Community in my case) with a Root CA on AD CS (standalone version).
What we want to do is to create a Sub-CA in EJBCA (the client wants an hybrid PKI with one subCA on AD CS and one on EJBCA).
Our procedure is the following:

  • Creating a CSR on EJBCA (keys generated there)
  • Signing it using our Root CA
  • Importing the certificate on EJBCA
    So far, we are able to sign the CSR and create a certificate.
    However, we are not able to specify the parameters we want, they are being overwritten by AD CS without any possibility of configuration.
    In particular, we want to fix the basic constraints to “SubCA” (with path length constraint of 0), in order for that CA to sign other certificates.
    Given that it is not possible to use certificate templates with the standalone version, how could we proceed to sign the CSR while taking into account the parameters that we want?
    I saw that it can be possible to submit custom requests by creating some kind of custom templates (.inf files) with certreq.exe. However, all the cases I saw online were implying that a pair of keys were to be created in ADCS, which is not suitable for us.
    I couldn’t find any documentation on how to proceed in order to use a pre-existing CSR (that includes keys that are already generated on EJBCA).
    Could you please help me in figuring how to proceed?
    Thanks very much in advance,
    Regards,
    Arnaud
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 24,981 Reputation points Microsoft Vendor
    2020-08-12T04:13:49.507+00:00

    Hello ArnaudSynetis-3880,

    Thank you for posting here.

    I am sorry, we are only familiar with WIndows CA ( with AD CS role), and we are not familiar with other three-part CA (such as EJBCA sub CA you mentioned).

    However, I will try my best to help you. To further narrow down our issue, we would like to get more detailed information. Would you please help to collect the following information:

    1. Based on the description above, I understand we have a standalone root CA, now we want to add a AD CS sub CA and a EJBCA sub CA (we have done it, but it is not the sub CA that we want, because the information related to parameters is not what we want, the value of Basic Constraints about your EJBCA sub CA is 0), is that right?
    2. Based on "we are not able to specify the parameters we want, they are being overwritten by AD CS without any possibility of configuration.", what parameter do you mean? Do you mean they are overriten by standalone root CA?
    3. What is the value of Basic Constraints about your root CA?

    Meanwhile, based on my understand,

    1.If the value of Basic Constraints about your root CA is 0, pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (I mean EJCBA sub CA must be end-entity-certificate, EJCBA sub CA can not issue certificates).

    2.After viewing the Basic Constraints in my lab (one offline root CA and one online sub CA). By default Basic Constraints =None on both offline root CA and online sub CA.

    We see that subject type is set to CA and there is no defined path length constraint. It means that unlimited certificates are allowed in certificate chain below the current CA certificate.

    17161-chain1.png

    3.Usually, if it is a Windows sub CA, we can define Basic Constraints in CAPolicy.inf file as below (for example), then deploy this Windows sub CA.

    [Version]

    Signature="$Windows NT$"

    [PolicyStatementExtension]

    Policies=InternalPolicy

    [InternalPolicy]

    OID= 1.2.3.4.1455.67.89.5

    URL=http://pki.fabrikam.com/cps.txt

    [Certsrv_Server]

    RenewalKeyLength=2048

    RenewalValidityPeriod=Years

    RenewalValidityPeriodUnits=10

    LoadDefaultTemplates=0

    AlternateSignatureAlgorithm=0

    [BasicConstraintsExtension]
    PathLength=1
    Critical=Yes

    4.If the value of Basic Constraints about your root CA is None, it is recommended to consult EJBCA engineers if there is another way to issue EJBCA sub CA certificate from Windows standalone root CA.

    References:
    AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

    Constraints: what they are and how they’re used
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/constraints-what-they-are-and-how-they-amp-8217-re-used/ba-p/1129048

    Thank you for your understanding and support.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Arnaud_Synetis 1 Reputation point
    2020-08-13T11:28:41.78+00:00

    Hi, Thanks for your quick and thorough reply Please find attached screen capture of the 3 certificates (Root, SubCA Windows and SubCA EJBCA)

    Regarding your questions:

    1. Yes, correct. Both CAs have been generated, but the SubCA on AD CS (this instance for the SubCA is not standalone but Enterprise) was actually generated properly, you can also see on the screen capture that it has used the "SubCA" template Our priority now is to generate a correct SubCA for EJBCA, while taking into account that we do NOT want to regenerate a new set of keys (already generated within an HSM)
    2. What I mean is that when we create the CSR in EJBCA, we specify (among other things) that basic constraints are "Path Length = 0" (certificates generated by this AC cannot emit new certs) and Critical=true . But I assume these informations are not included in CSRs (couldn't find the information), which would explain that they're not being taken into account. Therefore, we need a way to specify these settings explicitely when submitting the CSR to signature.
    3. As shown on the screenshot, the RootCA as "None" as PathLengthConstraint

    We thought about another solution, which would be to switch temporarily the Root CA into Enterprise mode, before switching it back to standalone. Could that be possible without interfering with the pre-existing certificates?

    Thank you for your reply

    17455-subca-ejbca.png17365-subcca-microsoft.png17456-root.png

  3. Daisy Zhou 24,981 Reputation points Microsoft Vendor
    2020-08-14T04:05:50.287+00:00

    Hello @Arnaud_Synetis ,

    Thank you for your update.

    The procedure below will generate an end entity certificate (not a CA certificate), because we did not define it is a CA (such as enterprise CA) or its CA type (such as Subordinate CA).
    17507-sub1.png

    After my research, we can refer to the similar case to see if it helps (he also absolutely need a EJBCA SubCA not an EJBCA End Entity, the difference is that its root CA is EJBCA RootCA instead of Microsoft root CA).

    EJBCA RootCA signing external EJBCA SubCA
    https://sourceforge.net/p/ejbca/discussion/123122/thread/54a0a8b7/

    Also this link below (set up EJBCA RootCA and EJBCA SubCA)

    Setting-up EJBCA as Certification Authority
    https://wiki.majic.rs/FreeSoftwareX509Cookbook/x509_infrastructure/certification_authority/setting-up_ejbca_as_certification_authority/

    Signing an External CA
    https://download.primekey.se/docs/EJBCA-Enterprise/7_0_0/Signing_an_External_CA.html

    I am sorry, all my found is how to set up two-tier CA with EJBCA RootCA and EJBCA SubCA (not Windows RootCA and EJBCA SubCA).

    Best Regards,
    Daisy Zhou

    0 comments
  4. Karan SACHDEVA 1 Reputation point
    2020-08-24T04:47:09.31+00:00

    @Arnaud_Synetis Were you able to resolve this issue? Seems like we are facing the same issue

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.