Archiwum kategorii: Certificate Authority

Certificate Authority – Certificate with Subject Alternative Name – Web Server Template STATUS Unavailable

If You are using Local Certificate Authority more the often there is a need to enrol Certificate with Subject Alternative Name. Buy when we open Certificate MMC Snap-in the only template we can use to request Certificate is Computer.


The Work around this problem is quite simple we just need to assign Server account ritght to enrol certificate using Web Server template.

Assign Web Server Template to Computer Account

1. Logon to Certificate Authority Server and open Certificate Authority management.

2. Click on Certificate Templates and form Action menu select Manage


3. Next find Web Server and form context menu select properties.


4. In Security Tab add Computer Account (remember to select object type Computers) and assign Read and Enroll rights


Now assigned computer have rights to Enroll certificate using Web Server Template.

Generate Certificate for computer using Web Server Template with Subject Alternative Name

1. Now let’s get back to Computer that is in need for Certificate with Subject Alternative Name and open Certificate MMC Snap-in for Computer Account.


2. Let’s Request new Personal Certificate


3. Now we will be able to Select Web Server Template and configure its properties.


4. The bare minimum we need to fill is:

    Common name (CN=) – The default Name of Computer

    DNS (DNS Name=) – All the Subject Alternative Names You need.


And the Last thing is to assign Certificate to Bindings and restart the IIS.

Cheers,

Maciej Jędryszek

Microsoft Windows Server – Certificate Authority – Install, Locate and Migrate

Properly configured and maintain Certificate Authority will help You great deal with Certificates Management in Your Active Directory Environment. And Can in many occasions save money on Public Certificates and provide security within AD.

!! If you migrate CA between Server start with point 2 and get back to point 1 🙂

1. Install Certificate Authority (CA)

1.1 Active Dierectory Certificate Authority is a first Role on the list (impossible to miss). Just open Server Manager and Add Role

1.2 From my personal experience it is always good to install Certificate Authority Web Enrollemnt feature. Of course You can use certutil and Certificate Authority MMC but sometimes it is easier and faster to use Web Enrollment to generate Certificate using template you select. This Feature will required IIS.

1.3 Go back to Server Manager and on information Flag enter post deployment Configuration.

1.4 Proceed with Configuration wizard.

1.4.1 Provide CA Rool services Account

1.4.2 Select Configuration Certificate Authority and if u selected Certificate Authority Web Enrollment.

1.4.3 Specific CA type. In this example since we are providing it within CA we select Enterprise CA

1.4.4 Specific CA level in this scenario Root CA

1.4.5 This step is very important and depends if you Migrate Certificate Authority or perform Fresh Installation

If this is new CA just select Creat a new private key

If you migrate CA and plan to restore previously created Backup select Use Existing private key and Select a certficaten and us its previously issued certificates when reinstalling CA and go to point 1.4.7

New CA

1.4.6 Provide Cryptography options and Certificate Name (usually Hostname-CA), Validity Period and folder path. and skip to point 1.4.9

Restor CA

1.4.7 Import Certificate Backup and provide certificate authentication

1.4.8 Select imported certificate and finish the configuration wizard.

1.4.9 Now You CA should be available. Check it by opening Certificate Authority MMC and also see if Cert Web Enrollemnt is accessible. http://<server_fqnd>/certsvr (http://localhost/certsrv/)

2. Backup Certificate Authority for Migration

2.1
Open Certificate Authority MMC

2.2 Fom Context menu select All Task -> Back up CA


2.3 Select Private key and CA certificates as well as Certificate database and certificate database log

2.4 Provide access password.

2.5 Export CA configuration – open regedit and export whole Configuration key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

2.5 Uninstall Active Directory Certificate Authority Role form server

3. Locate Certificate Authority server

Open elevated command prompt and type (don’t miss double minus)

certutil -config – -ping

You will get Popup with list of CA in Domain and correspondent host names.

Cheers

Maciek Jędryszek