I'm using a Microsoft Certification authority to sign some certificates from a corporate network. Using the certreq utility everything works fine, but I didn't found the purpose of the template anywhere.
In my case, I need to create some certificates requests in a Linux server (using OpenSSL) and then sign it using the Microsoft CA in another server (Windows Server 2012). The proccess is basicaly described below:
- Create the .csr file and key in a Linux server (
openssl req -newkey rsa:1024 -keyout myKey.key -out myCsr.csr -subj /CN=mydomain.com/O=Organization/C=US/ST=ST/L=City); - Send the csr file to Windows Server where the CA is installed;
- Call certreq utility to create the certificate itself (
certreq -submit -attrib "CertificateTemplate:MyWebServerTemplate" -config DOMAINCA\CA1 myCsr.csr myCert.cer); - When needed, send the cert to Linux again and convert the .cer in a .crt with the command
openssl x509 -outform DER -in myCert.cer -out myCert.crt. This is needed when certreq is used with-binaryoption
As far I know, the choose of the template is mandatory but anything changes no matter which I choose. I tried to select many templates, but apparently anything changes
update: After some tests, I noted that some templates actually changes some original info from CSR, but my question still is: What is the purpose of the template, since the info is all in the CSR, and why is it mandatory? How can I force the MS CA to use the CSR info?
I'm new on this certificate administration thing. Am I misunderstood something in the process?
