Windows
創建新的 SubCA 證書失敗並出現 NTE_PROV_TYPE_NOT_DEF
我正在嘗試為新的 Windows AD CS Enterprise 從屬 CA(Windows Server 2019)手動創建密鑰和 CSR。
我想將密鑰儲存在現代Microsoft Software Key Storage Provider中。
它失敗了
Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)
。我使用的命令是:
certreq.exe -new C:\requestconfig.inf C:\certificate.req
C:\requestconfig.inf
文件是這樣的:[Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=My Subordinate CA" HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "Microsoft Software Key Storage Provider" KeyContainer = "My Subordinate CA" ExportableEncrypted = true MachineKeySet = true RequestType = PKCS10 SuppressDefaults = true SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)" [RequestAttributes] CertificateTemplate = SubCA [Extensions] 2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing 2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical) 1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0
故障排除步驟
我通過執行檢查了 CSP 是否有效
certutil -csplist
:[...] Provider Name: Microsoft Strong Cryptographic Provider Provider Type: 1 - PROV_RSA_FULL Provider Name: Microsoft Software Key Storage Provider Provider Name: Microsoft Passport Key Storage Provider [...]
它沒有提供程序類型,但儘管如此,我將
ProviderType = 0
和添加ProviderType = 1
到配置中,但無濟於事。我能夠使用非常相似的配置來創建我的根證書:
[Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=My Root CA" HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 4096 ;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE ProviderName = "Microsoft Software Key Storage Provider" KeyContainer = "My Root CA" ExportableEncrypted = true MachineKeySet = true RequestType = Cert SuppressDefaults = true SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY) [Extensions] 2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing 2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical) 1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0
主要區別在於,使用此配置,我創建了一個密鑰和證書,而不是密鑰和 CSR。區別是:
RequestType
isCert
和 notPKCS10
,它沒有RequestAttributes
部分。此配置沒有失敗NTE_PROV_TYPE_NOT_DEF
。是什麼導致我的子 CA 的配置突然失敗?
您必須添加:
KeySpec=0
到
NewRequest
部分。certreq 預設為AT_EXCHANGE
CNG 提供程序不支持 KeySpec。只是出於好奇,您為什麼不使用 ADCS CA 安裝嚮導來生成 CA 請求?