You cannot modify any property once Enode or InitializeDecode methods are called. Why this happens -- CSR is digitally signed, therefore you cannot alter it in any way, because you will break the signature. What you can try -- is to embed signed request in CMC and try to set the subject again. You will have to re-sign entire request again with Enrollment Agent certificate.
Hi Vadim,
Initially I want to thank you for a very useful site!
We are working on a RA to issue certificates based on existing PKCS#10's. Using the information I have found on your site I've been able to create a script which will take the PKCS#10, create a request and get a certificate. We want to be able to override the subject provided in the PKCS#10, however, I'm not able to set the Subject. The following snippet shows my attempt:
$PKCS10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$pkcs10.InitializeDecode("ContextMachine", 0x2) #XCN_CRYPT_STRING_BINARY
$pkcs10.InitializeDecode($p10,0x0) #XCN_CRYPT_STRING_BASE64HEADER
$dn=New-Object -ComObject X509Enrollment.CX500DistinguishedName
$dn.Encode('cn=test,o=somedomain,c=no')
$PKCS10.Subject = $dn
This results in the following error:
CertEnroll::CX509CertificateRequestPkcs10::put_Subject: The specified file is read only. 0x80071779 (WIN32: 6009 ERROR_FILE_READ_ONLY)
At C:\temp\get-request.ps1:103 char:1
+ $CertRequest.Request.GetInnerRequest(0).Subject = $dn
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Do you have any suggestions as to why this happening and what can be done to get this to work?
With regards
Kjetil R Bustnes
When I run this command the checkpoint file is older than the fullbackup file. Why is this the case and what does it mean ?
> signtool.exe still shows correct timestamp in that case, but I cannot find that info in the SignedCms-data.
interesting, how it can show the timestamp if the signature is not counter-signed by TSA.
Hi,
i do have a question regarding auto-enrollment. Does the client only use LDAP (389) for retriving the needed PKI information from AD ?
- Is LDAPs possible ?
- If a child domain existing and the PKI is placed above the client domain, will the Client always get information from his own domain, or will the client be sent to the domain controller where the CA is located in ?