I'm having an interesting problem with OnBoarding, trying to pass CSR's to an MSFT AD Certificate Services CA. The onboarding workflow does fine if I use the CA resident in the CP instance. But when I configure for the MSFT CA, this error occurs:
Active Directory Certificate Services did not issue a certificate: Error returned by server: Your Request Id is 0. The disposition message is "Error Parsing Request ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
I pulled the CSR out of a frame capture, collected on the MSFT CA. After parsing with openssl asn1parse, most everything looks fine. The only thing that concerns me is the requested SAN value, containing all of the 'mdps' attributes...as in:
'subject_alt' => array (
'mdpsDeviceType' => 'iOS',
'mdpsDeviceName' => 'iOS',
'mdpsDeviceUdid' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
'mdpsDeviceImei' => 'XX XXXXXX XXXXXX X',
'mdpsProductName' => 'iPad3,5',
'mdpsProductVersion' => '12H76',
'mdpsUserName' => '8021x@int.MYDOMAIN.net',
'mdpsEmailAddress' => '8021x@int.MYDOMAIN.net',
),
Knowing how picky AD CS can be about how SAN values are included in a CSR or appended to a CSR upon request, I wonder if some registry tweak or schema extension needs to occur to support these OIDs in the CSR.
If anyone has seen that 'CRYPT_E_ASN1_BADTAG' error or can lend any insight, I'd appreciate the help very much.
Thanks.