Getting "invalid name" issuing errors when using "enddate" only

[Doomnometron]

Hi there,

for evaluation I'm playing around with the Sample_Online_User_NotAfter.xml sample file and would like to end the runtime of a certificate defined with it.

Content of my XML
<CertificateRequestPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <NotAfter>2023-06-20T23:59:59.0000000+01:00</NotAfter> </CertificateRequestPolicy>

When I issue a certificate based on the certificate template defined by the name of the XML file, I get an error message:

The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded. 0x800b0114

Without XML file the certificate is issued as usual and w/o error.

Any ideas?

[hansjoachimknobloch]

Hi @Doomnometron ,

that error shoud occur if you have a DirectoryServicesMapping-AllowedSecurityGroups or DirectoryServicesMapping-DisallowedSecurityGroups rule in your xml rule file (see the Sample_Offline_User.xml example).

Regards, Hajo.

[Doomnometron]

Hi @hansjoachimknobloch,

thanks for your response. I did not have configured anything else then the option, as I have simply copied the Sample_Online_User_NotAfter.xml, renamed it and changed the date.
That's why I don't currently understand the error message - because I haven't configured any name checking in the xml.

Regards

[hansjoachimknobloch]

Hi @Doomnometron,

I've tested your above XML in my lab (Windows Server 2019, TameMyCerts_1.5.760.827) and it works as intended.

You might get additional information in the application event log under event source "TameMyCerts".

Regards, Hajo.

[Doomnometron]

Again, thank you for your response. From the eventlog EventID 6

Request 193206 for WebServer was denied because:
The commonName field is not allowed.
The dNSName field is not allowed.

With added expressions for commonName and dNSName I'm able to request the certificate.

This works

<!--
  This is an example configuration file for computer online certificate requests.
  Ensures that all certificates issued for this template expire on 31st December 2022, 23:59:59 (Europe/Berlin time).
  Works the same way for offline requests, but should include syntax and directory mapping rules there.
-->
<CertificateRequestPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Subject>
    <SubjectRule>
      <Field>commonName</Field>
      <Mandatory>true</Mandatory>
      <MaxOccurrences>1</MaxOccurrences>
      <MaxLength>64</MaxLength>
	  <Patterns>
		<Pattern>
		  <Expression>^[a-zA-Z]*\.[a-zA-Z]*\.[a-zA-Z]*$</Expression>
		</Pattern>
      </Patterns>
	</SubjectRule>
  </Subject>
  <SubjectAlternativeName>
    <SubjectRule>
      <Field>dNSName</Field>
      <Mandatory>true</Mandatory>
      <MaxOccurrences>2</MaxOccurrences>
      <MaxLength>64</MaxLength>
      <Patterns>
        <Pattern>
          <Expression>^[a-zA-Z]*\.[a-zA-Z]*\.[a-zA-Z]*$</Expression>
        </Pattern>
      </Patterns>
    </SubjectRule>
  </SubjectAlternativeName>
  <NotAfter>2023-06-20T23:59:59.0000000+01:00</NotAfter>
</CertificateRequestPolicy>

This not.

<!--
  This is an example configuration file for computer online certificate requests.
  Ensures that all certificates issued for this template expire on 31st December 2022, 23:59:59 (Europe/Berlin time).
  Works the same way for offline requests, but should include syntax and directory mapping rules there.
-->
<CertificateRequestPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <NotAfter>2023-06-20T23:59:59.0000000+01:00</NotAfter>
</CertificateRequestPolicy>

[Sleepw4lker]

Hey @Doomnometron and @hansjoachimknobloch, thank you for sorting this out. I'll add a sample file for offline requests to the next release.

Cheers

[hansjoachimknobloch]

Hi @Doomnometron,

yes, without <Subject> and/or <SubjectAlternativeName> rules that permit certain fields with associated patters (even if the pattern is ^.*$ and maybe with Mandatory=false) the default is that any request with non-empty Subject DN and/or SAN will be rejected.

Is it okay to mark the discussion as answered?

Regards, Hajo.