CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.
Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps
1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request
[Version]
Signature= “$Windows NT$”
[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC
[RequestAttributes]
CertificateTemplate = EOBO_Template
2. Generate the initial self signed CMC certficate request using the command:
certreq.exe -new certificate_request.inf certificate_request.req
3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:
certreq.exe -sign certificate_request.req signed_certificate.req
4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:
certreq.exe -submit signed_certificate.req new_certificate.cer
The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.
What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:
Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)
After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.
What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!
Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.
Solution: use another version of certreq.exe or another tool like the cmcSigner tool
cmcSigner Tool download:(258.8 KiB, 3,538)
