Openssl: Generate CSR with NTDS CA Security Extension
To request a certificate with the exact Microsoft OID for Client Auth certs for the domain, you can use an openssl.cnf that resembles the following.
files/2024/listings/openssl.cnf (Source)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[ req ] prompt = no default_bits = 4096 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] C = US ST = Florida L = Miami O = Example Org # Important value CN = hostname123498.example.org #emailAddress = noreply@example.org [ req_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment # this oid is szOID_NTDS_CA_SECURITY_EXT 1.3.6.1.4.1.311.25.2 = ASN1:SEQUENCE:NTDSCASecurityExt subjectAltName = @alt_names [ alt_names ] # Important value DNS.1 = hostname123498.example.org DNS.2 = hostname123498.subnet.example.org [ NTDSCASecurityExt ] # If you wanted to use another SEQUENCE but that does not conform to the M$ example. #wrappingSeq = EXPLICIT:0,SEQUENCE:ExtOid # The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ] szOID_NTDS_OBJECTSID = EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1 # Important value key = EXPLICIT:0,OCTETSTRING:S-1-5-21-2059058832-2300889872-1288252972-490382 [ ExtOid ] oid = OID:1.3.6.1.4.1.311.25.2.1 |
References
Weblinks
- [MS-WCCE]: szOID_NTDS_CA_SECURITY_EXT | Microsoft Learn
- x509 - Create own ASN.1 module for custom extension in OpenSSL command line tools - Stack Overflow
- /docs/man1.1.1/man3/ASN1_generate_nconf.html
- is it possible making openssl skipping the country/common name prompts? - Stack Overflow