Hi Steve, > So, it seem 2012R2 and ECC dont like each other. I generate a proper ECC > curved certificate where the public algo is correctly defined, OpenSSL is > happy, Try and import the same cert to be used by the RootCA, Windows says > GTFO. > > Generate an RSA with the same CSP, Windows CA is happy, OpenSSL is Happy. > Windows loves RSA. > > only technical difference > > Windows Root CA Private key and ECC cert generation (define new key at setup): > > Serial Number: > 4f:bf:07:0c:c3:a0:e5:99:4a:30:51:72:b1:19:9c:54 > Signature Algorithm: ecdsa-with-Specified > Issuer: DC = net, DC = enterprises, OU = pki, CN = CAN-ROOTCA-01
Elliptic Curves with explicit parameters were frequently used in the dark ages, before curve standardization was settled and widely accepted. This may be the reason why OpenSSL botches the verification. All current environments I know reference named curves instead. > using native X509Enrollment API calls > > Serial Number: > 2f:da:9f:39:80:2b:1e:b5:43:cf:47:06:e8:91:10:00 > Signature Algorithm: ecdsa-with-SHA256 > Issuer: CN=Test Root CA CNG ECC ECDSA_P256 > > Microsoft Root CA under 2012R2 using ECC keys doesn't seem to follow RFC5758, > RSA Key it is. Thanks for confirming my prejudice :) And having seen the horrors of ADCS in real life it totally eludes me why one would consider a Microsoft CA for implementing an Issuing CA, let alone a Root CA for a heterogeneous environment not consisting of pure Microsoft systems. From my experience ADCS only make sense in a pure Microsoft world. (Apologies for the rant, but you came to an OpenSource PKI forum :) cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
