Openssl: Generate CSR with NTDS CA Security Extension

bgstack15

To request a certificate with the exact Microsoft OID for Client Auth certs for the domain, you can use an openssl.cnf that resembles the following.

This also includes the SAN URI which is separate from the NTCS.

	`[ req ]`
	`prompt = no`
	`default_bits = 4096`
	`default_md = sha256`
	`default_keyfile = privkey.pem`
	`distinguished_name = req_distinguished_name`
	`req_extensions = req_ext`

	`[ req_distinguished_name ]`
	`C = US`
	`ST = Florida`
	`L = Miami`
	`O = Example Org`
	`# Important value`
	`CN = hostname123498.example.org`
	`#emailAddress = noreply@example.org`

	`[ req_ext ]`
	`basicConstraints = CA:FALSE`
	`keyUsage = digitalSignature, keyEncipherment`
	`# this oid is szOID_NTDS_CA_SECURITY_EXT`
	`1.3.6.1.4.1.311.25.2 = ASN1:SEQUENCE:NTDSCASecurityExt`
	`subjectAltName = @alt_names`

	`[ alt_names ]`
	`# Important value`
	`DNS.1 = hostname123498.example.org`
	`DNS.2 = hostname123498.subnet.example.org`
	`# hardcoded text until the sid`
	`URI.1 = tag:microsoft.com,2022-09-14;sid:S-1-5-21-2059058832-2300889872-1288252972-490382`

	`[ NTDSCASecurityExt ]`
	`# If you wanted to use another SEQUENCE but that does not conform to the M$ example.`
	`#wrappingSeq = EXPLICIT:0,SEQUENCE:ExtOid`
	`# The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ]`
	`szOID_NTDS_OBJECTSID = EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1`
	`# Important value`
	`key = EXPLICIT:0,OCTETSTRING:S-1-5-21-2059058832-2300889872-1288252972-490382`

	`[ ExtOid ]`
	`oid = OID:1.3.6.1.4.1.311.25.2.1`

Knowledge Base