lundi 13 août 2012

[TMG] Incorrect key type for the certificate


Sometimes you could meet this error on the certificate when creating a Web Listener: Incorrect key type.

To be sure to generate a valid certificate here's some clues:
  1. As described by Yuri Diogenes on his Incorrect Key Type when Creating a Web Lister on TMG using V3 Certificate article, CNG (Certificate New generation) certificate introduced by Windows 2008 is not supported by Forefront TMG.
  2. Be sure that you put all required information about the keys.
For the last point you will found below a sample of a request file to use with the following command line: certreq -New <certreq.inf> <csrfile.req>

[Version]
Signature = "$Windows NT$"

[NewRequest]
Subject = "CN=lyncweb.security.lab,OU=Unifed Communication,O=SNH Lab,L=PARIS,S=FRANCE,C=FR"
Exportable = TRUE
KeySpec = AT_KEYEXCHANGE
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_NON_REPUDIATION_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
MachineKeySet = TRUE
KeyLength = 2048
FriendlyName= "REVERSEADFS"
AlternateSignatureAlgorithm = FALSE

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=lyncweb.security.lab&"
_continue_ = "dns=dialin.security.lab&"
_continue_ = "dns=meet.security.lab&"
_continue_ = "dns=lyncdiscover.security.lab&"

[RequestAttributes]
CertificateTemplate = "WebServer"

The command line will generate a CSR (Certificate Signing Request) to send to the certification authority.

Here's a brief description on some of these fields:
Field
Description
Exportable
The private key will be tagged as exportable (interesting right ;))
KeySpec
Key usage, here key exchange to make a SSL/TLS tunnel
KeyUsage
Usage covered by the key, here signature / key encipherment / non-repudiation / data-encipherment
ProviderName
CSP (Certificate Service Provider) name to use
ProviderType
CSP to use
MachineKeySet
Force using the computer certificate container
KeyLength
Key size
FriendlyName
Associated name only for "user friendly"
AlternateSignatureAlgorithm Enable/ Disable the CNG feature
OID
Obejct IDentifier (OID) to use, here Server Authentication
2.5.29.17
Tell that we will provide Subject Alternative Name (SAN OID)
CertificateTemplate
If you send the request file to a private PKI, you could provide the template name to use. The provided name must be the Template name and not the one displayed on the PKI console.

Aucun commentaire:

Publier un commentaire