Request certificate for Windows with specific OID supported

[lamdaiphong]

Hello all,
I have a question that hope you could clarify on this. If we are using Windows environment with Windows Certificate Authority then they provided certificate template with specific OID, for example Remote Desktop (RDP) with OID 1.3.6.1.4.1.311.54.1.2. Is step supports to request a certificate with similar way of selected OID. Because I want to request a certificate for Windows server use to configure secure remote desktop.
Thanks all.

[tashian]

Yes, please see the Arbitrary X.509 Extensions section of our docs for details on how to add this to a Smallstep X.509 template.

Also, for RDP in particular, you may not need this OID. If the Windows server certificate has "server authentication" enabled (which, by default, step-ca certificates do), it may just work out of the box.

[lamdaiphong]

That definitely helps me out and appreciated. Also is there a way allows step to check whether the certificate needs renewal or not. On Linux I can use "step certificate inspect" or "step certificate needs-renewal" <cert_file>, but on Windows it is stored in the certificate store for example Personal that I am not sure where the cert_file located on the drive hence unable to inspect or renew the certificate.

[tashian]

I think you'd have to somehow export it from the certificate store if you want to check it using step certificate needs-renewal.

[maraino]

We have some support for getting certificates stored in the Window's certificate store using the step-kms-plugin. I haven't tried it on windows, so I don't know exactly how it works. But if you install the plugin from here https://github.com/smallstep/step-kms-plugin, you should be able to get the certificate with something similar to one of these options:

step kms certificate "capi:sha1=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
step kms certificate "capi:store-location=user;store=My;key-id=3086545434A12215DB6ABE39C63B101BE667CE62"
step kms certificate "capi:store-location=machine;store=Foo;issuer=WindowsCA;serial=3e835e815e1d330ad85d85df3c722e82"

You need the location of the cert, using these parameters:

• store-location: user or machine, defaults to user if not specified
• store: the store name, defaults to My if not specified

And a way to identify the cert, of of this options is required:

• sha1: The sha1 of the certificate, e.g. f1d2d2f924e986ac86fdf7b36c94bcdf32beec15.
• key-id: The key id of the certificate, the X509v3 Subject Key Identifier. e.g. 3086545434A12215DB6ABE39C63B101BE667CE62
• issuer + serial: where issuer is the issuer's common name, and serial is the certificate serial number in decimal or hexadecimal format.

[lamdaiphong]

thanks Tashian and Maraino.