无法提交和签署 CSR 的问题 (Denied by Policy Module 0x80094800) 如何解决?

huangapple go评论60阅读模式
英文:

How can I solve this problem (unable to submit and sign the csr : Denied by Policy Module 0x80094800)?

问题

我是客户端,无法控制提供请求的服务器。

当我将我的CSR发送到该服务器时,它通过以下方式回答我:

> 无法在zatca端提交和签署csr,原因:受策略模块拒绝 0x80094800,请求的是Active Directory证书服务策略不支持的证书模板:PREZATCA-Code-Signing

zatca = 拥有该服务器的组织

这是我用来生成CSR的配置:

oid_section = OIDs
[ OIDs ]
certificateTemplateName= 1.3.6.1.4.1.311.20.2
[ req ]
default_bits        = 2048
emailAddress        = mmkkjjmm55555@email.com
req_extensions          = v3_req
x509_extensions         = v3_ca
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[ dn ]
C=SA
OU=3111902937
organizationIdentifier=311190293700003
O=ShaEk
CN=127.0.0.1



[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
subjectAltName = dirName:alt_names


[alt_names]
SN=1-Device|2-234|3-gsgsgs
UID=311190293700003
title=1000
registeredAddress=Zatca 12
businessCategory=Food Business3

这是一个用于发送电子发票的商店的数据。

我的尝试:

我搜索了这个错误,但我找到的所有答案都是关于如何在服务器端解决这个问题。

我是否有能力从我的一方解决这个问题,或者我能做些什么来解决它?

谢谢。

英文:

I am a client have no control on the server that is serving the requests.

When I send my CSR to that server it answers me by this answer

> unable to submit and sign the csr in zatca side, caused : Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: PREZATCA-Code-Signing

zatca = is the organization that has the server

This is my configuration that i used it to generate the CSR:

oid_section = OIDs
[ OIDs ]
certificateTemplateName= 1.3.6.1.4.1.311.20.2
[ req ]
default_bits        = 2048
emailAddress        = mmkkjjmm55555@email.com
req_extensions          = v3_req
x509_extensions         = v3_ca
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[ dn ]
C=SA
OU=3111902937
organizationIdentifier=311190293700003
O=ShaEk
CN=127.0.0.1



[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
subjectAltName = dirName:alt_names


[alt_names]
SN=1-Device|2-234|3-gsgsgs
UID=311190293700003
title=1000
registeredAddress=Zatca 12
businessCategory=Food Business3

It is a data of a store to be able to send e-invoices.

What I tried:

I searched about this error but all of the answers that I found are talking about how to solve this problem for the server side.

Is there any ability to solve this problem from my side, or can I do something to solve it ?

Thanks.

答案1

得分: 2

错误提示称证书模板“PREZATCA-Code-Signing”不受 CA 支持。您要么将此模板添加到 CA,要么使用受 CA 支持并接受请求中的主题信息的其他证书模板。

另外,您正在使用 Microsoft AD CS CA,它会忽略(覆盖)您在请求中定义的一些证书扩展,例如:增强密钥用途、密钥用途和基本约束。

英文:

Error says that certificate template PREZATCA-Code-Signing isn't supported by CA. You have either, add this template to CA, or use another certificate template that is supported by CA and accepts subject information from request.

BTW, you are using Microsoft AD CS CA and it will ignore (overwrite) some certificate extensions you defined in request, such as: Enhanced Key Usages, Key Usages and Basic Constraints.

huangapple
  • 本文由 发表于 2023年3月31日 04:04:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/75892548.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定