I'm writing a C# program that will create inf files and then run a certreq -new to generate the CSR and output the contents - On older machines ( Windows server 2008, for instance ) I'm getting a generic error
"[NewRequest] KeyAlgorithm = "ECDSA_P256" <=> KeySpec?
Editing the CSR file manually and removing the KeySpec altogether seems to make the CSR go through, but every guide I see seems to mention the KeySpec, so I'm confused whether I'm doing something wrong or what.
string[] csrPairs = {"[NewRequest]", subjectLine, "Exportable = true", "ExportableEncrypted = true", "HashAlgorithm = sha256",
"KeyAlgorithm = " + keyAlgorithm, "KeyLength = " + keysize, "KeySpec = 1", "MachineKeySet = true", "ProviderName = \"Microsoft Software Key Storage Provider\"","RequestType = PKCS10", "SMIME = false", "UseExistingKeySet = false"};
Here's the code I'm using to generate the CSR, seems to work on Windows 10, but not Windows 2008 Server.
Any help would be greatly appreciated - Is there something about Windows Serer 2008 I'm not thinking of? Or something my new computer would have set for .net that the other doesn't? (Target version 3.5)
Side note - Any help understanding keyspec would be great, too. Seems "1" means it can sign and encrypt, "2" can only sign - Not sure the default or what 0 does, or if I'm supposed to do anything else here.
Hmm think I figured some things out.
CNG ( Cryptography API: Next Generation ) providers don't use KeySpec, it's just set to 0 - it seems this setting might mess with some things though, such as creating Code Signing CSR's.
Regular CSP/Legacy providers seem to be able to determine the key you want in some cases, so setting the KeySpec but no the key algorithm works fine - at least from my testing.