Windows

創建新的 SubCA 證書失敗並出現 NTE_PROV_TYPE_NOT_DEF

  • January 4, 2022

我正在嘗試為新的 Windows AD CS Enterprise 從屬 CA(Windows Server 2019)手動創建密鑰和 CSR。

我想將密鑰儲存在現代Microsoft Software Key Storage Provider中。

它失敗了Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)

我使用的命令是:certreq.exe -new C:\requestconfig.inf C:\certificate.req

C:\requestconfig.inf文件是這樣的:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Subordinate CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 2048

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Subordinate CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = PKCS10
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)"


[RequestAttributes]
CertificateTemplate = SubCA


[Extensions]
2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0

故障排除步驟

我通過執行檢查了 CSP 是否有效certutil -csplist

[...]
Provider Name: Microsoft Strong Cryptographic Provider
Provider Type: 1 - PROV_RSA_FULL

Provider Name: Microsoft Software Key Storage Provider

Provider Name: Microsoft Passport Key Storage Provider
[...]

它沒有提供程序類型,但儘管如此,我將ProviderType = 0和添加ProviderType = 1到配置中,但無濟於事。

我能夠使用非常相似的配置來創建我的根證書:

[Version]
Signature= "$Windows NT$"


[NewRequest]
Subject = "CN=My Root CA"

HashAlgorithm = sha256
KeyAlgorithm = RSA
KeyLength = 4096
;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE

ProviderName = "Microsoft Software Key Storage Provider"
KeyContainer = "My Root CA"
ExportableEncrypted = true
MachineKeySet = true
RequestType = Cert
SuppressDefaults = true
SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)


[Extensions]
2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing
2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical)
1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0

主要區別在於,使用此配置,我創建了一個密鑰和證書,而不是密鑰和 CSR。區別是:RequestTypeisCert和 not PKCS10,它沒有RequestAttributes部分。此配置沒有失敗NTE_PROV_TYPE_NOT_DEF

是什麼導致我的子 CA 的配置突然失敗?

您必須添加:

KeySpec=0

NewRequest部分。certreq 預設為AT_EXCHANGECNG 提供程序不支持 KeySpec。

只是出於好奇,您為什麼不使用 ADCS CA 安裝嚮導來生成 CA 請求?

引用自:https://serverfault.com/questions/1088924