主页 / server / 问题 / 1088924
Accepted
Daniel
Asked: 2022-01-05 00:47:52 +0800 CST

创建新的 SubCA 证书失败并出现 NTE_PROV_TYPE_NOT_DEF

  • 772

我正在尝试为新的 Windows AD CS Enterprise 从属 CA(Windows Server 2019)手动创建密钥和 CSR。

我想将密钥存储在现代Microsoft Software Key Storage Provider中。

它失败了Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)

我使用的命令是:certreq.exe -new C:\requestconfig.inf C:\certificate.req

C:\requestconfig.inf文件是这样的:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Subordinate CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 2048

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Subordinate CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = PKCS10
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)"


[RequestAttributes]
CertificateTemplate = SubCA


[Extensions]
2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0

故障排除步骤

我通过运行检查了 CSP 是否有效certutil -csplist

[...]
Provider Name: Microsoft Strong Cryptographic Provider
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Software Key Storage Provider

Provider Name: Microsoft Passport Key Storage Provider
[...]

它没有提供程序类型,但尽管如此,我将ProviderType = 0和添加ProviderType = 1到配置中,但无济于事。

我能够使用非常相似的配置来创建我的根证书:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Root CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 4096
;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Root CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = Cert
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)


[Extensions]
2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0

主要区别在于,使用此配置,我创建了一个密钥和证书,而不是密钥和 CSR。区别是:RequestTypeisCert和 not PKCS10,它没有RequestAttributes部分。此配置没有失败NTE_PROV_TYPE_NOT_DEF

是什么导致我的子 CA 的配置突然失败?

windows

0 个回答

  1. Best Answer

    您必须添加:

    KeySpec=0

    NewRequest部分。certreq 默认为AT_EXCHANGECNG 提供程序不支持 KeySpec。

    只是出于好奇,您为什么不使用 ADCS CA 安装向导来生成 CA 请求?

    • 0

相关问题