none
Windows 8.1 MDM - Usage of Template Name in SCEP certificateRequest RRS feed

  • Question

  • When I send the Template Name as one of the valid template names other than the one configured in Registry(HKLM\Software\Microsoft\Cryptography\MSCEP), CA rejects the request saying Template Mismatch. How should I be using this Template Name field in the Certificate Request for getting the Client certificate through SyncML.

    As per the NDES whitepaper,

    The template will be based on the KeyUsage extension.
    • 0x80: Uses the template name identified in the “SignatureTemplate” registry key
    • 0x20: Uses the template name identified in the “EncryptionTemplate” registry key.
    • 0xa0: Uses the template name identified in the “GeneralPurposeTemplate” registry key.


    Below is the sample provided in the Document, where it is mentioned template name as SMS_ClientCopy.

    <Add>
      <CmdID>20</CmdID>
      <Item>
        <Target>
          <LocURI> ./cimv2/MDM_CertificateEnrollment.RequestID="e74ae2c3-50b8-4036-a51e-604cbffdea3b",StoreLocation="1",EnhancedKeyUsages="1.3.6.1.5.5.7.3.2",Issuers="CN=CertificateAuthority" </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">xml</Format>
          <Type xmlns="syncml:metinf">text/plain</Type>
        </Meta>
        <Data>
          <CertificateRequest>
            <ConfigurationParameters xmlns="http://schemas.microsoft.com/SystemCenterConfigurationManager/2012/03/07/CertificateEnrollment/ConfigurationParameters">
              <ExpirationThreshold>20</ExpirationThreshold>
              <RetryCount>1</RetryCount>
              <RetryDelay>1</RetryDelay>
              <TemplateName>SMS_ClientCopy</TemplateName>
              <KeyStorageProviderSetting>2</KeyStorageProviderSetting>
              <KeyUsage>160</KeyUsage>
              <KeyLength>1024</KeyLength>
              <HashAlgorithms>
                <HashAlgorithm>SHA-1</HashAlgorithm>
              </HashAlgorithms>
              <CAThumbprint>6429CC067E892A2E63A53A9A332CE5DB1B04F82C</CAThumbprint>
              <ValidityPeriod>1</ValidityPeriod>
              <ValidityPeriodUnit>Years</ValidityPeriodUnit>
              <EKUMapping>
                <EKUMap>
                  <EKUName>Client Authentication</EKUName>
                  <EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
                </EKUMap>
              </EKUMapping>
            </ConfigurationParameters>
            <RequestParameters>
              <CertificateRequestToken>...</CertificateRequestToken>
              <SubjectName>CN=User</SubjectName>
              <SubjectAlternativeName>
                <SANs>
                  <SAN NameFormat="33554432" AltNameType="11" OID="1.3.6.1.4.1.311.20.2.3">User@certmgmt.contoso.com</SAN>
                </SANs>
              </SubjectAlternativeName>
              <NDESUrl>http://ndes7.contoso.com/certsrv/mscep/mscep.dll</NDESUrl>
            </RequestParameters>
          </CertificateRequest>
        </Data>
      </Item>
    </Add>
    


    Monday, June 16, 2014 6:53 AM

Answers

All replies