Multiple-purpose client certs, how?

[A.M.]

I have set up Microsoft Certificate Services as a stand-alone CA on a
Windows 2000 Server.

When I request a client certificate using the Web enrollment pages, I am
given a choice of either a Web Browser Certificate or a Email Protection
Certificate but not both. I tried "Advanced Request" options as well to no
avail.

How do I obtain a certificate from MS Certificate Services that can be used
for both Client Authentication and Secure Email purposes?

Your insight will be appreciated.

A.M

P.S. I even tried playing around with certutil.exe -setextension but no
matter what I did I could not make the certificate to take on more than one
role.

 

[Miha Pihler]

Hi,

This shouldn't be a problem if you setup your CA as an Enterprise CA (you
can even setup subordinate Enterprise CA to your current Standalone Root
CA).

I am not sure how to do this on Standalone Root CA, but I will have a
look...

Mike

 

[A.M.]

Thanks for your reply.

Doesn't Enterprise CA require Active Directory? I have stayed away from
Active Directory in the past and rather do so in the future.

-Amin

 

[Miha Pihler]

Yes, it does require it. It integrates with it.

Why do you want to stay away from AD? Can I change your mind somehow?

Mike

 

[A.M.]

I have no need for it, I have a very small network with a small number of
users. I have come to learn the less pieces I throw on my box, the more
reliable it runs.

I am thinking of moving to OpenSSL if I cannot resolve this issue with
Microsoft Certificate Services.

What if I use a different tool to issue a certificate request for a
multi-purpose client cert and then have it issued by MS Certificate
Services, would it make a difference? Do you know of such a tool?

 

[Miha Pihler]

I can't seem to find any solution to this, still what you suggest might
work.

Use this option to try and issue certificates:

"Submit a certificate request using a base64 encoded PKCS #10 file or a
renewal request using a base64 encoded PKCS #7 file."

Mike

 

[Bob Qin [MSFT]]

Hello,

Thanks for your posting here.

To get multiple-purpose client certificates, you can use advance request
pages and for "Type of Certificate Needed", choose "Other", after that you
would be able to specify OID's of the EKU desired. For multiple EKU's, the
OID's are comma separated.

Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "A.M." <[email protected]>
Subject: Multiple-purpose client certs, how?
Date: Sun, 22 Aug 2004 18:21:38 -0700
Newsgroups: microsoft.public.win2000.security

I have set up Microsoft Certificate Services as a stand-alone CA on a
Windows 2000 Server.

When I request a client certificate using the Web enrollment pages, I
am
given a choice of either a Web Browser Certificate or a Email
Protection
Certificate but not both. I tried "Advanced Request" options as well
to no
avail.

How do I obtain a certificate from MS Certificate Services that can
be used
for both Client Authentication and Secure Email purposes?

Your insight will be appreciated.

A.M

P.S. I even tried playing around with certutil.exe -setextension but
no
matter what I did I could not make the certificate to take on more
than one
role.

 

[A.M.]

Bob,

This worked, thanks.

Was this documented anywhere that I missed?

Regards
Amin

 

[Bob Qin [MSFT]]

Hi Amin,

I am glad to hear that it wroked. I just ever did similar test before and I
did not find any public document mentioned this information.

Thank you again for using our Newsgroup.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "A.M." <[email protected]>
Subject: Re: Multiple-purpose client certs, how?
Date: Wed, 25 Aug 2004 11:41:12 -0700
Newsgroups: microsoft.public.win2000.security

Bob,

This worked, thanks.

Was this documented anywhere that I missed?

Regards
Amin

Hello,

Thanks for your posting here.

To get multiple-purpose client certificates, you can use advance request
pages and for "Type of Certificate Needed", choose "Other", after that you
would be able to specify OID's of the EKU desired. For multiple EKU's, the
OID's are comma separated.

Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "A.M." <[email protected]>
Subject: Multiple-purpose client certs, how?
Date: Sun, 22 Aug 2004 18:21:38 -0700
Newsgroups: microsoft.public.win2000.security

I have set up Microsoft Certificate Services as a stand-alone

CA on
a