How to sign CSR file generated in GPG4win in Microsoft CA

How to generate a certification request that is compatible with Microsoft CA (CSR)?

we are able to generate a X.509 keys CR (p10) that does not seem compatible with Microsoft CA.

is there any way to convert it to CSR or a way to generate CSR using gpg4win?

Hi Ali,

it is possible to generate certification requests with Gpg4win’s crypto
engine “GnuPG” with a number of options. There is a good chance that
you can create such requests that are compatible with Microsoft CA.

Because there are many CAs out there with different special requirements
in the details or quirks, this may need figuring out in detail what the problem is.
Those experts functions usually are available with using the crypto engine GnuPG
from the command line. My suggestion is that you ask a question on the
more technical gnupg-users@ list as next step

Best Regards,
Bernhard

Hi Bernhard,

Thanks for response.
I have communicated with gnupg-users@. the guide me to use “gpgms” tool to create CSR.

Use:

gpgsm --gen-key

and follow the prompts.

If it asks you “Create self-signed certificate? (y/N)”, you want to answer “N” (no) because you want the csr instead.

For example (this is not on windows, this is on a GNU/Linux machine, but it should look similar to what you see in the windows cmd.exe shell:

0 dkg@alice:~$ gpgsm --gen-key
gpgsm (GnuPG) 2.1.17; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=bananas.example Enter email addresses (end with an empty line):

Enter DNS names (optional; end with an empty line):

bananas.example
www.bananas.example

Enter URIs (optional; end with an empty line):

Create self-signed certificate? (y/N)
These parameters are used:
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Name-DN: CN=bananas.example
Name-DNS: bananas.example
Name-DNS: www.bananas.example

Proceed with creation? (y/N) y
Now creating certificate request. This may take a while …
gpgsm: about to sign the CSR for key: &C6962BE32BF3CA7C3207BCECC0FC1CD3C24CC2E7
gpgsm: certificate request created
Ready. You should now send this request to your CA.
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwGjEYMBYGA1UEAxMPYmFuYW5hcy5leGFtcGxlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFLyvrSVb75agoi43FWQJwr4da7IraU1
iv2DBpFQU54Kst8sgs7ocHtgHQAVlCbiJ3XNVAv4brt+kb8ASp6xGXpTVKe5bzCw
/+OPPW5o/ymSF6wlHar7hKWSylTD3Xl6fyQaw1h6LRpY9S0QG2ua3kX1QIp6rWLd
K3Eq/X41+NFBIVeMtlu0FBCVoUDAC65BsIDahPZwDSsXhVNU2lO1TQXyr4ZCZGQb
c6qYnerlplvzjDT/a7WgaKQgYJzbxa6IM1COCCwDQMW4GH9ZsUi77iu+io/A3h/v
8B3WcVe6m6rg8lIChKSXvd1kmC8ueiCTnYKFHGpKZECPS0ec8hcOkQIDAQABoFIw
UAYJKoZIhvcNAQkOMUMwQTAvBgNVHREEKDAmgg9iYW5hbmFzLmV4YW1wbGWCE3d3
dy5iYW5hbmFzLmV4YW1wbGUwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUA
A4IBAQARmLx97fNMd2JdPlllA0Kl5bOafXdraLMw7E0gdqoGTcgSy4oKwzYXVXCE
8PcQ5Ld+QSzZRcaEr/cWoZJSPEXX4ahhYPDs14PxNUvDX1R5MUrUGIqUmMQU28Vc
+vxTSmSY/ehvCaCDXDqcTVZjX7pyQ2LGxiy44Sqf8weGL1aHHq6znCJtPUWqpW8n
bMGj34lNPYBXW/95WAAPuLQP6zUDAq6oFf69jVJUKhIZ9Jlkr6XhAKHRpS5VjEeP
Q7PIUMKKM6PMXU1IPMo0X/TfJ7ApUJ0bWWwUTBoHcjAoIIcQCDfBZ+Wh7T9Rvrdm
wKfK8jbgQph4k/9lJXzrEKnXejo7
-----END CERTIFICATE REQUEST-----
0 dkg@alice:$

Then you’d copy/paste the stuff between the “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----” lines (including those lines as
well) into a file that you can import into your CA.

send it to CA. and got the certificate.
I have imported it with CA root and intermidate certificates via Kleopatra UI. but but when I try to use it for encryption or signing, it throw error. see attached image.
did I do wrong?
or kelopatra does not support that?

I have successfully created the CSR and send it to internal CA (Microsoft CA) team. They sent me the certificate. I have used Kleopatra UI to import the created certificate after save it in a file (attaching sample file). Using same Kleopatra UI, I have also imported root & intermediate certificates for the CA. looks like attached img(kleopatra.png):
We I tried to encrypt or sign any file, it shows this error (attached error.png)

Is there anything wrong I have done?
Or it is just because Kleopatra does not support X.509 certificate created by Microsoft CA?

kleopatra.png

Hi Ali,

so the request generation worked, good! :slight_smile:

For further trouble shooting please check out:

https://wiki.gnupg.org/X.509
https://wiki.gnupg.org/TroubleShooting

Which version of Gpg4win (and thus gpgsm) are you using in particular?
As I’ve seen that you are able to use the command line, try the crypto operations there first before it works with Kleopatra. A good chance is that your root ca is no properly configured and trusted. (gpgsm -K should show you the private certificate).

Best,
Bernhard