I have a small test network that includes Win2k8 R2 machines, an Enterprise CA server and an Exchange 2010 SP1 RU1 CAS server. I would like to issue a certificate for Exchange from the CA.
As the first step, I created the certificate request, which (according to OpenSSL) contains the following info:
C:\OpenSSL\bin>openssl req -in e.req -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=mail.mnet.com, OU=IT, O=MNet, L=Budapest, ST=Budapest, C=HU Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ...snip... Exponent: 65537 (0x10001) Attributes: 1.3.6.1.4.1.311.13.2.3 :6.1.7600.2 1.3.6.1.4.1.311.21.20 :unable to print attribute 1.3.6.1.4.1.311.13.2.2 :unable to print attribute Requested Extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:cas.int.mnet.com, DNS:mail.mnet.com, DNS:autodiscover.mnet.com, DNS:pop.int.mnet.com, DNS:imap.int.mnet.com X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: F0:7E:53:47:BE:04:0F:5C:78:FD:63:8C:D6:5C:BC:0D:45:A3:4F:48 Signature Algorithm: sha1WithRSAEncryption ...snip...
As the second step, I would like to submit this request to the CA, but I get the following message:
The request contains no certificate information. Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.
What would be the best way to get this working?
How should I generate the same request from Exchange to include the info on which certificate to use?
How should I convince the CA to issue the certificate, even if the request doesn't match a certificate template?
(I'm actually interested in the answer to all three questions to learn more about both Exchange and the CA services.)
Please use the wizard that Exchange 2010 so helpfully provides for you - it's much easier.
It's in the Exchange Management Console under Server Configuration. In the Action Pane, choose the New Exchange Certificate wizard.
Fill in the required info, submit the generated file to your Enterprise CA using the Web Server template, then import the generated certificate back into Exchange using the wizard.
You might find this video helpful.