SCEP and certificate templates

Discussion in 'Server Security' started by Ioan Herisanu, Jun 11, 2006.

  1. I try to use the following combination:
    Enterprise root ca and latest scep download. I try to enhance the usage of
    certificates adding Client Authentication in certificate purposes in a
    version 2 template created. I made the template after the v1 of
    IPSECIntermediateOffline. I also deleted the IPSECIntermediateOffline
    template from the CA and placed my new v2 template in place(new template to
    issue).I also superceeded the v1 original template with this new v2. To make
    sure it works, i put everywere i saw fit Everyone group with all rights. Of
    course, this is not a production system, i just lowered as much i could this
    thing. When i try to request certificates, i get the error in ca saying that
    "The request was for a certificate template that is not supported by the
    Certificate Services policy: IPSECIntermediateOffline". Indeed , the
    IPSECIntermediateOffline is not allowed to be issued, but instead i use a
    template that should be used instead of that. I also looked into mscep.dll
    and saw that you are asking specifically for this template
    IPSECIntermediateOffline. So here are my questions: is it feasible what i am
    doing? 2. If i use a stand alone ca, certificates that i get with this method
    have all all intended purposes enabled. When i use an Enterprise root ca,
    they only have a specific purpose. Is there a way to change this or add some
    other OID?( i mean 1.3.6.1.3.5.5.8.2.2 OID?) I see that certs get from an
    stand alone root ca have e0 (Digital Signature, Non-repudiation, Key
    Encipherment) and those from enterprise root ca have a0 (Digital Signature,
    Key Encipherment).
    As i did not find anything yet, i kindly ask you to point me where i am
    wrong.


    Thank you,
    for your time and patience.
     
    Ioan Herisanu, Jun 11, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.