luispresuelVenafi
commented
1 year ago Hi there @dpierce4776
With latest VCert CLI version (so far v4.24.0) I created a locked policy in our end which would lock the OU for be "Technology":
then I created test.csr:
$ openssl req -new -newkey rsa:2048 -nodes -out test.csr -keyout test.key
Generating a RSA private key
............................+++++
............................................+++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<Redacted>
State or Province Name (full name) [Some-State]:<Redacted>
Locality Name (eg, city) []:<Redacted>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Redacted>
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:test.venafi.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:And then: vcert enroll -u -t -z "\path\to\locked-policy" --nickname external.test.venafi.com --csr file:test.csr vCert: 2023/07/12 10:35:11 Successfully connected to Trust Protection Platform vCert: 2023/07/12 10:35:11 Successfully read zone configuration for locked-policy vCert: 2023/07/12 10:35:11 Successfully created request for file:test.csr vCert: 2023/07/12 10:35:13 Successfully posted request for file:test.csr, will pick up by \path\to\locked-policy\external.test.venafi.com vCert: 2023/07/12 10:35:15 Successfully retrieved request for \path\to\locked-policy\external.test.venafi.com -----BEGIN CERTIFICATE----- MIIHojCCBYqgAwIBAgITbQC2e/Vboe8QnnnxZwAAALZ79TANBgkqhkiG9w0BAQsF ADBbMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGdmVuYWZp MRUwEwYKCZImiZPyLGQBGRYFdmVucWExFTATBgNVBAMTDFFBIFZlbmFmaSBDQTAe ... ybbF6m40gCG62zQaiPUEcXJvo/t0CPUQ4Z76Lj8BF8CINDHXEP5ECfSimcdXgXfF jKxxcqjSiADyECNRBosPgqyjjMwA0DDKhBxp4HxhofzXqQUSLjJuTiaJZBxVzKSJ 3WfHuT/cI/Drfb6/SLSC4+ZHXtCYeGEskysY+zeOgYcyEFHht5k= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFpjCCA46gAwIBAgIQPY6aY41C6JxH4BxIUMuftTANBgkqhkiG9w0BAQsFADBb MRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGdmVuYWZpMRUw EwYKCZImiZPyLGQBGRYFdmVucWExFTATBgNVBAMTDFFBIFZlbmFmaSBDQTAeFw0x ... 9FyPr0ubOaCXBXJzRjVQjHV0YOGwFeLvQAohFIAdMlCVRVx+rIzupEskGgAMnKtG QXe+VMF9FXaRqDI/cCNsBnR++USinZvwGY6SecfDtHA7x65yJol7Y8YtURNfyDfg yVzOWlPcu2gJaw== -----END CERTIFICATE----- PickupID="\path\to\locked-policy\external.test.venafi.com"
And I was able to make issuance of certificate with no problem. Are you using our latest version of VCert? How your policy is setup? Could you ask your PKI admin? Which version of TPP are you using?
I am running the command vcert enroll -u -t -z "" --nickname externally-generated-csr --csr file:"C:\Users\ddpierce\OneDrive - Williams-Sonoma Inc\Desktop\Cert_Testing\APC\test\2\TestCSR.csr"
And I am getting the error message.
“vCert: 2023/07/11 21:25:19 Unexpected status code on TPP Certificate Request. Status: 400 Bad Request, check Error in response for details.. Body: {"Error":"Organizational Unit value violates policy and cannot be used.\u000d\u000a\u000d\u000a"}
When I run the getpolicy command I get the following
"subject": { "orgs": [ "Williams-Sonoma, Inc." ], "orgUnits": [ "Technology"
I have tried using "Technology", Technology, and " Williams-Sonoma, Inc./Technology" all with the same result. Can someone tell me what I am missing please?