none
"Enroll on behalf of" using WCCE RRS feed

  • Question

  • Hi,

    The WCCE protocol says that to send a request on a behalf of a different subject, the request must be either be a PKCS10 request wrapped in CMS or a CMS wrapped in CMC. Yet, I was able to get a certificate on behalf of a different subject just by sending a p10 request over WCCE/DCOM.

    Does anyone know if a CA running on Windows 2008 R2 adheres to the WCCE spec completely? Is it possible that the p10 request is automatically wrapped in CMS when I call ICertRequestD:Request(...) ?

    thanks

    partheinstein

    Monday, July 18, 2011 10:53 PM

Answers

  • Hi,

    This is to update the thread that we archived this issue, since you were not able to collect the template dump (certutil.exe -dstemplate <template name>).
    We received the dumps of the request and the certificate but the template data we requested is also needed to proceed investigation.
    Please contact us again once you have the opportunity to provide the required data and we will happy to assist.

    Regards,
    Edgar


    Tuesday, August 2, 2011 9:23 PM
    Moderator
  • Partheinstein was finally able to provide the data we requested. Please the summary of the resolution as follows.

     

    Upon investigation of the data, it appears that this is not an Enroll On Behalf Of (EOBO) certificate scenario. The data shows a scenario of auto enrollment with PKCS#10 request format.

    To my knowledge, a CA running on Windows 2008 R2 adheres to the MS-WCCE specification.

     

    The summary on why this scenario is not an EOBO is as follows.

    The relevant flags in your template are:  

        flags = "131642" 0x2023a            CT_FLAG_IS_MODIFIED | CT_FLAG_ADD_TEMPLATE_NAME | CT_FLAG_AUTO_ENROLLMENT | CT_FLAG_EXPORTABLE_KEY | CT_FLAG_PUBLISH_TO_DS | CT_FLAG_ADD_EMAIL

        msPKI-Enrollment-Flag = "9"         CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS | CT_FLAG_PUBLISH_TO_DS

        msPKI-Private-Key-Flag = "16" 0x10  CTPRIVATEKEY_FLAG_EXPORTABLE_KEY

        msPKI-Certificate-Name-Flag = "1"   CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

     

    The template is configured to use the subject supplied in the certificate request (ref. MS-WCCE 3.2.2.6.2.1.4.5.9 msPKI-Certificate-Name-Flag). The request Subject is the same as the cert Subject: "CN=freddy".

    Such a template is usually referred to as an offline template because it tells the CA to not use AD for subject information. This is unrelated to EOBO.

    The EOBO proxy process is used when a client uses its credentials and requests a certificate on behalf of another End Entity. MS-WCCE Section 3.1.1.4.3.3 documents the format of certificate requests in EOBO scenario.

     

    References:

    MS-WCCE

    3.1.1.4.3.1.1   New Certificate Request Using PKCS #10 Request Format

    3.1.2.4.2.2.2.10   Certificate.Template.msPKI-Certificate-Name-Flag

    3.2.2.6.2.1.4.5.9   msPKI-Certificate-Name-Flag

    3.1.1.4.3.3   Enroll on Behalf of Certificate Requests

     

    MS-CRTD

    2.4   flags Attribute

    2.28   msPKI-Certificate-Name-Flag Attribute

     

    Regards,

    Edgar


    Thursday, August 11, 2011 4:48 PM
    Moderator

All replies

  • Hi Partheinstein:

    I have alerted the protocol documentation team about your inquiry. A member of the team will be in touch soon.


    Regards, Obaid Farooqi
    Monday, July 18, 2011 11:19 PM
    Owner
  • Hi,

    I will investigate this and follow up.

    Thanks,

    Edgar

    Tuesday, July 19, 2011 3:06 PM
    Moderator
  • Hi,

    Can you send following data to: dochelp < at > microsoft < dot > com?

    - a dump of the request;

    - a dump of the certificate;

    - the value of the requestor name in the CA DB.

    Please touch base wth me at the above address, and I can work with you on this.

    Regards,

    Edgar

    Friday, July 22, 2011 6:16 PM
    Moderator
  • Hi,

    This is to update the thread that we archived this issue, since you were not able to collect the template dump (certutil.exe -dstemplate <template name>).
    We received the dumps of the request and the certificate but the template data we requested is also needed to proceed investigation.
    Please contact us again once you have the opportunity to provide the required data and we will happy to assist.

    Regards,
    Edgar


    Tuesday, August 2, 2011 9:23 PM
    Moderator
  • Partheinstein was finally able to provide the data we requested. Please the summary of the resolution as follows.

     

    Upon investigation of the data, it appears that this is not an Enroll On Behalf Of (EOBO) certificate scenario. The data shows a scenario of auto enrollment with PKCS#10 request format.

    To my knowledge, a CA running on Windows 2008 R2 adheres to the MS-WCCE specification.

     

    The summary on why this scenario is not an EOBO is as follows.

    The relevant flags in your template are:  

        flags = "131642" 0x2023a            CT_FLAG_IS_MODIFIED | CT_FLAG_ADD_TEMPLATE_NAME | CT_FLAG_AUTO_ENROLLMENT | CT_FLAG_EXPORTABLE_KEY | CT_FLAG_PUBLISH_TO_DS | CT_FLAG_ADD_EMAIL

        msPKI-Enrollment-Flag = "9"         CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS | CT_FLAG_PUBLISH_TO_DS

        msPKI-Private-Key-Flag = "16" 0x10  CTPRIVATEKEY_FLAG_EXPORTABLE_KEY

        msPKI-Certificate-Name-Flag = "1"   CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

     

    The template is configured to use the subject supplied in the certificate request (ref. MS-WCCE 3.2.2.6.2.1.4.5.9 msPKI-Certificate-Name-Flag). The request Subject is the same as the cert Subject: "CN=freddy".

    Such a template is usually referred to as an offline template because it tells the CA to not use AD for subject information. This is unrelated to EOBO.

    The EOBO proxy process is used when a client uses its credentials and requests a certificate on behalf of another End Entity. MS-WCCE Section 3.1.1.4.3.3 documents the format of certificate requests in EOBO scenario.

     

    References:

    MS-WCCE

    3.1.1.4.3.1.1   New Certificate Request Using PKCS #10 Request Format

    3.1.2.4.2.2.2.10   Certificate.Template.msPKI-Certificate-Name-Flag

    3.2.2.6.2.1.4.5.9   msPKI-Certificate-Name-Flag

    3.1.1.4.3.3   Enroll on Behalf of Certificate Requests

     

    MS-CRTD

    2.4   flags Attribute

    2.28   msPKI-Certificate-Name-Flag Attribute

     

    Regards,

    Edgar


    Thursday, August 11, 2011 4:48 PM
    Moderator