none
CES - certificate template definition in MS-WSTEP RRS feed

  • Question

  • We are implementing service on Linux platform for issuing certificates using CES (Certificate Enrollment Web Services) which resends certificate requests to authority (Enterprise CA). The problem is that certificate requests do not contain any information about template which should be used for issuing. Template name must be explicitly defined by the service we provide.

    We have tried to create SignedData envelope and include template name as an pkcs7 attribute, however it did not help.
    Is it possible to define CertificateTemplate explicitly in MS-WSTEP protocol or is there any way how to ensure that CA will get template name which should be used?

    Monday, October 26, 2015 10:16 AM

Answers

  • Final resolution:

    The following resolution was sent to customer:

    you can add a single name-value pair to the authenticated attributes associated with the Pkcs7 signature. #define szOID_ENROLLMENT_NAME_VALUE_PAIR "1.3.6.1.4.1.311.13.2.1"

    The attribute value should be ASN.1 encoded as a SEQUENCE of two UTF8 strings, name string first (“CertificateTemplate”), and the value string second (the template name or ObjectId)


    Regards, Obaid Farooqi


    Friday, November 20, 2015 12:36 AM
    Owner
  • We found solution in creating PKCS7 (SignedData) with CMC request inside. This CMC message contains original PKS10 request and CMC extensions (oid 1.3.6.1.5.5.7.7.8) with CertificateTemplate definition (oid 1.3.6.1.4.1.311.20.2). Only then this request is correctly processed by certification authority.

    Sample:

    PKCS7/CMS Message:
      CMSG_SIGNED(2)
      CMSG_SIGNED_DATA_CMS_VERSION(3)
      Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

    PKCS7 Message Content:
    ================ Begin Nesting Level 1 ================
    CMS Certificate Request:
    Tagged Attributes: 1

      Body Part Id: 3
      1.3.6.1.5.5.7.7.8 CMC Extensions
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      Extensions: 1
        1.3.6.1.4.1.311.20.2: Flags = 0, Length = a
        Certificate Template Name (Certificate Type)
            TEST

    Tagged Requests: 1
      CMC_TAGGED_CERT_REQUEST_CHOICE:
      Body Part Id: 1
    ================ Begin Nesting Level 2 ================
    Element 0:
    PKCS10 Certificate Request:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxx PKCS10 data xxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------  End Nesting Level 2  ----------------

    Tagged Content Info: 0
    Tagged Other Messages: 0
    ----------------  End Nesting Level 1  ----------------

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxx other PKCS7 data xxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    • Marked as answer by Fremen1983 Tuesday, December 15, 2015 7:47 AM
    Tuesday, December 15, 2015 7:47 AM

All replies

  • Hello Fremen1983,
    Thank you for your inquiry about MS-WSTEP specification. We have created an incident for investigating this issue. One of the Open specifications team member will contact you shortly.
     
     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, October 26, 2015 2:01 PM
    Moderator
  • Hi Fremen1983:

    I'll help you with this issue and will be in touch through this thread as soon as I have an answer.


    Regards, Obaid Farooqi

    Monday, October 26, 2015 8:46 PM
    Owner
  • Hi Fremen1983:

    In MS-WSTEP, in section "3.1.4.1.3.3  wst:RequestSecurityTokenType", it is stated that the

    "wsse:BinarySecurityToken: Provides the DER ASN.1 representation of the certificate request. The
    type of token is defined by the wst:TokenType element. For the X.509v3 enrollment extension the
    wst:TokenType MUST be specified as in section 3.1.4.1.2.8. The certificate request follows the
    formatting from [MS-WCCE] section 2.2.2.6. The EncodingType attribute of the
    wsse:BinarySecurityToken element MUST be set to base64Binary."

    As per the above excerpt, the certificate request is formatted as described in MS-WCCE, section 2.2.2.6.

    MS-WCCE section 2.2.2.6 lists the formats of the certificate request, namely PKCS#10, CMS, Netscape and CMC. The certificate request can contain attributes. The section "2.2.2.7  Certificate Request Attributes" describes the attributes that a client can specify and one of them is szOID_CERTIFICATE_TEMPLATE that you can use to specify the template.

    Please let me know if it does not answer your question.


    Regards, Obaid Farooqi

    Tuesday, October 27, 2015 10:13 PM
    Owner
  • Thank you, I know that when template name is included in CSR, everything works well. But as I wrote in my first post: "Template name must be explicitly defined by the service we provide."

    We receive plain PKCS#10 request from external client and that CSR does not contain any extension defining template name. Our service must ensure that CSR will be processed by CA using specific template.

    We tried to envelope PKCS#10 into PKCS#7 (CMS), to add template name as an CMS attribute and to sign this CMS message by our service. However it did not help because it seems that CES service parses CMS and sends plain PKCS#10 (without template name) to CA to process. CA then returns an error that CertificateTemplate was not defined.

    Thursday, October 29, 2015 7:20 AM
  • Hi Fremen1983:

    I was wondering what kind of clients are these. Are these machines running Windows? Also, I am trying to understand your set up. Can you please explain and provide a little more details. From your original message, it looked like you have three nodes; client, CES and CA. Now it appears that you have 4 node; client, your CES, another CES and CA. which ones of these are running Windows and what version?


    Regards, Obaid Farooqi

    Thursday, October 29, 2015 8:00 PM
    Owner
  • Thank you for your reply.

    I suppose it does not matter what platform is used - it all runs on well-known protocols and PKCS formats. CES server and Enterprise CA are of course Microsoft products.

    There is:

    - an external client (first node) which sends CSR (plain PKCS#10)

    - our proprietary service (second node) receives that CSR and process it (this node do a lot more work when communicating with client)

    - CES server (third node) communicates with second node on MS-WSTEP protocol and sends requests to CA

    - Enterprise CA (fourth node) issues certificate and sends it back

    Template name used to issue certificate must be defined by the second node.


    • Edited by Fremen1983 Friday, October 30, 2015 5:53 AM typo in protocol name
    Friday, October 30, 2015 5:52 AM
  • Hi Fremen1983:

    Thanks for the explanation. So You service is the client of MS-WSTEP. From your description it also appears that you know the template name as well.

    I have one more question. Is it not possible to parse the PKCS #10 request from your clients and add the template name in new PKCS#10 and send that to CES?


    Regards, Obaid Farooqi

    Monday, November 2, 2015 5:17 PM
    Owner
  • Well, if our service modifies original PKCS#10, the signature of that CSR will not be valid anymore and I suppose that CA will refuse it.

    That's why we have tried to envelope original PKCS#10 into PKCS#7 as I stated in my first post - with no luck.

    Tuesday, November 3, 2015 6:19 AM
  • Like I said in another thread ( https://social.technet.microsoft.com/Forums/en-US/026d3e8c-21ba-4290-8f3a-57738e1350d2/ces-certificate-template-definition-in-mswstep?forum=winserversecurity ), enveloping in PKCS#7 won't help:

    PKCS#10 request wrapping in PKCS#7 doesn't help either because CA uses only embedded PKCS#10 request to construct certificate. The rest PKCS#7 data is used only in special scenarios (for example, certificate renewal, enrollment on behalf of, etc.) and is used to validate this operation.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Tuesday, November 3, 2015 6:49 AM
  • Hi Fremen1983:

    I am looking into it and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Wednesday, November 4, 2015 1:42 AM
    Owner
  • Hi Fremen1983:

    Can you please let me know the details of Windows versions on CES/DA/CA. Also can you please send me the unencrypted base64 encode request that you are sending to CES. You can send this info to dochelp at Microsoft dot com to my attention.


    Regards, Obaid Farooqi


    Monday, November 9, 2015 5:55 PM
    Owner
  • Forum update:

    I am working with this customer off line via email. Once a resolution is reached, I'll update this forum with the solution.


    Regards, Obaid Farooqi

    Monday, November 16, 2015 5:07 PM
    Owner
  • Final resolution:

    The following resolution was sent to customer:

    you can add a single name-value pair to the authenticated attributes associated with the Pkcs7 signature. #define szOID_ENROLLMENT_NAME_VALUE_PAIR "1.3.6.1.4.1.311.13.2.1"

    The attribute value should be ASN.1 encoded as a SEQUENCE of two UTF8 strings, name string first (“CertificateTemplate”), and the value string second (the template name or ObjectId)


    Regards, Obaid Farooqi


    Friday, November 20, 2015 12:36 AM
    Owner
  • We found solution in creating PKCS7 (SignedData) with CMC request inside. This CMC message contains original PKS10 request and CMC extensions (oid 1.3.6.1.5.5.7.7.8) with CertificateTemplate definition (oid 1.3.6.1.4.1.311.20.2). Only then this request is correctly processed by certification authority.

    Sample:

    PKCS7/CMS Message:
      CMSG_SIGNED(2)
      CMSG_SIGNED_DATA_CMS_VERSION(3)
      Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

    PKCS7 Message Content:
    ================ Begin Nesting Level 1 ================
    CMS Certificate Request:
    Tagged Attributes: 1

      Body Part Id: 3
      1.3.6.1.5.5.7.7.8 CMC Extensions
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      Extensions: 1
        1.3.6.1.4.1.311.20.2: Flags = 0, Length = a
        Certificate Template Name (Certificate Type)
            TEST

    Tagged Requests: 1
      CMC_TAGGED_CERT_REQUEST_CHOICE:
      Body Part Id: 1
    ================ Begin Nesting Level 2 ================
    Element 0:
    PKCS10 Certificate Request:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxx PKCS10 data xxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------  End Nesting Level 2  ----------------

    Tagged Content Info: 0
    Tagged Other Messages: 0
    ----------------  End Nesting Level 1  ----------------

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxx other PKCS7 data xxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    • Marked as answer by Fremen1983 Tuesday, December 15, 2015 7:47 AM
    Tuesday, December 15, 2015 7:47 AM