Can I sign a CSR with my CA without any templates? Windows server 2019

Question

Currently on windows server 2019 (im a newbie)

I've created a certificate templates, but there are some parameters that I can't seem to get right.

Because of that, I created a new CSR via the MMC without using any templates. I'm trying to get my CA to sign it, but it forces me to choose a template regardless. I've tried some solutions online, like using "certreq -attrib" and the web enrollment service, but for both this methods, I still need to choose a template in order for my CA to sign it. Is there even a way I can sign CSR without a template?

Windows server 2019

ADCS - Root CA

Answer 1

Hi whye keat foo,

Have a nice day!

If you create a customized certificate signing request (CSR) that does not meet the requirements of your certificate template, typically the CA overrides the template's settings when issuing certificates to ensure that the certificates issued comply with the policies and restrictions defined in the template.

In your case, your example certificate uses an ECC key and the public key parameter is ECDH348 and requires both key agreement and key encryption usage to be included. However, the template you created does not allow such a combination.

Best regards

Neuvi Jiang

Answer 2

Hi whye keat foo,

Thank you for posting in the Microsoft Community Forums.

While Windows Server 2019 can interact with a CA to sign CSRs, an appropriate certificate template is usually required.

You might consider creating a new certificate template.

To copy or create a new template.

In the console, right-click Certificate Templates, select New, and then select Certificate Template to Issue. "Select New, then Certificate Template to Issue.

General tab:

Specify a display name and description for the new template.

Set the template's expiration date and renewal interval (if applicable).

Compatibility tab:

Ensure that the new template is compatible with your client and server by selecting the supported operating system versions.

Request Handling tab:

Configure private key export and certificate issuance policies as needed.

Subject Name tab:

Select the subject name of how the certificate will be generated.

Extensions tab:

Configure the required extensions to the certificate, such as key usage, application policies, etc.

Security tab:

Specify which users and groups can request, read, manage, and issue certificates for this template.

5. Save and close the template

After completing all configurations, click OK to save the new template.

Close the Certificate Templates console.

6. Add the new template to the Certificate Authority

Best regards

Neuvi Jiang

Answer 3

Hi Neuvi! Thank you so much for your reply. I have tried creating my own template!

May I ask if it is possible to have, under key usage: key agreement & key encipherment. I am taking reference to an example certificate that I am trying to replicate.

In the example certificate, the public key in use is ECC and the public key parameters is ECDH348. Under the key usage, it contains both key agreement and key encipherment.

The templates that I have created is not allowing me to do this. I have checked online and I understand there is a conflict where ECDH is a key agreement protocol and not a key encipherment protocol. But is there a way I can force this behaviour so that I can replicate the cert.

I have tried a custom CSR which allows me to set the parameters I want, however if I try to get my CA to sign it, it will override the parameters with a mandatory template. May I ask if there is a way to replicate my example template?

Thanks!

Whye keat