导入证书时为CRYPT_E_NOT_FOUND [英] CRYPT_E_NOT_FOUND when importing certificate
问题描述
我正在尝试自动执行以下过程:生成证书签名请求,然后从Windows Server 2012 R2服务器上的CA导入响应,以用作IIS中SSL绑定的证书.我能够生成CSR,然后将其提供给安全团队,然后再向我提供对导入的响应,但是在导入时遇到了麻烦.
I'm trying to automate the process of generating a certificate signing request and then importing the response from the CA on a Windows Server 2012 R2 server to use as a cert for a SSL binding in IIS. I'm able to generate the CSR which I then provide to the security team which then provides me with a response to then import but am having troubles getting it to import.
此服务器在工作组中.以为我要提到的是,所以没有广告注册政策.
This server is in a workgroup. Thought I'd mention that so no AD enrollment policy.
这是我的流程:
- 使用有问题的服务器上的certreq.exe生成CSR.生成的INF文件如下所示:
[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "C=US,S=California,L=City,O=Company,OU=IT,CN=hostname"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xa0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Silent = True
SMIME = False
RequestType = PKCS10
此INF文件随后通过以下操作变成CSR .req文件:
This INF file then gets turned into the CSR .req file by doing this:
certreq.exe -new "C:\inffile.inf" "C:\certreq.req"
REQ文件被发送给安全团队,他们给了我一个.CER文件,该文件在手动导入时实际上从Digicert添加了三个证书.我期望的证书以及看起来像是一些中间CA的证书.
The REQ file gets sent to the security team and they give me back a .CER file, which, when imported manually, actually adds three certificates from Digicert. The certificate I expect and what looks to be some intermediate CAs.
这是通过MMC证书管理单元导入时的外观.
Here's what that looks like when imported via the MMC Certificates snapin.
如果我这样通过MMC导入证书,则该证书不会显示在IIS管理器中的服务器证书"下,因此我看上去更深一些.我试图像这样通过IIS管理器完成证书签名请求,并且证书显示出来,我很高兴.
If I import the certificate via the MMC like this it doesn't show up in the IIS manager under Server Certificates so I looked a little deeper. I tried to complete the certificate signing request via the the IIS manager like this and the cert shows up and I'm happy.
但是,由于使用脚本,因此无法使用GUI.
However, I can't use the GUI since I'm using a script.
我使用私钥确认该请求在证书注册请求"中.
I confirm that the request is in Certificate Enrollment Requests with the private key.
我确认CSR的公钥和我提供的p7b相同.
I confirm that the public key of the CSR and the p7b I got back provided are the same.
certutil -dump issuedcert.cer
certutil -dump certreq.req
问题::我从证书注册请求"中导出了CSR,并查看了公钥.它与issuecertcert.cer中的证书不同.看来这是问题所在,但为什么呢?
PROBLEM: I exported the CSR from Certificate Enrollment Requests and looked at the public key. It was NOT the same as the one in issuedcert.cer. It looks like this is the problem but why?
然后我尝试使用certreq.exe接受响应,但它不起作用.
I then try to use certreq.exe to accept the response and it doesn't work.
certreq.exe -accept -machine "C:\issuedcert.cer"
差不多完成了,但是没有.我不断收到此错误消息:
Almost done, but no. I continually receive this error message:
推荐答案
此错误表明certreq在证书存储的证书注册请求"节点中找不到相关的请求对象.
This error indicates that certreq was unable to find related request object in the Certificate Enrollment Requests node in the certificate store.
此外,我建议检查证书请求中的公钥是否与已颁发证书中的公钥匹配.您可以使用certutil -dump file.req命令转储请求文件(将有公共密钥),并使用cerutil -dump cert.cer转储已颁发的证书并比较公共密钥.对证书存储区中的证书注册请求"节点中的每个对象(针对本地计算机上下文)执行相同的操作,以查找具有匹配公钥的请求对象.
In addition, I would suggest to check whether the public key in the certificate request match the one in the issued certificate. You can use certutil -dump file.req command to dump request file (there will be public key) and cerutil -dump cert.cer to dump issued certificate and compare public keys. Do the same for each object in the Certificate Enrollment Requests node in the certificate store (focused on Local Machine context) to find request object with matching public key.
这篇关于导入证书时为CRYPT_E_NOT_FOUND的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
