How to create an exportable "Web Server Template Certificate"

I require a Web Server (template) certificate for my Cisco 2106 WLAN controller however the controller cannot directly request a certificate from the authority server and I cannot create a Web Server certificate "marked with exportable".

I run a patched Windows Server 2003 Enterprise and have clients successfully 802.1x authenticating using WLAN controller (authenticator) and IAS/CA (authentication server).

Is there a way to make Web Server certs exportable? If not is there a way around my problem.  I'm trying to upload a cert onto the Cisco WLAN controller to terminate dot1x requests local on the box using "LOCAL EAP".

Thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Yes, web server certs can be exportable.  Duplicate it and make a new version 3 template and you can change a number of options.  On the Request Handling tab, you can checkmark 'Allow private key to be exported'.
When exporting, you will need to make sure to 1) include the private key and 2) mark as exportable whenever you import/export the cert if it asks you to.

It would be easiest to request from your workstation and export it that way and then open it up in notepad and copy the text over to the cisco device.

Another solution you might want to look into is SCEP which can be an extra extension to 2003 CA or part of 2008 CA normally.  For 2003:

SCEP is designed to handle devices like routers and such that do not have the ability to recognize templates and all that, and enable them to make a simple cert request.
davidduffy77Author Commented:
Wikid advice.. thanks mate

I cant make a version 3 template as I am not running Windows Server 2008 CA (at this moment), is there a work around?

I obtained more information about version1-3 certificates here

My next concern lies in the controller, will it handle the new version certificates? I'm thinking Yes, but it is Cisco after all and I would like to test it.
ParanormasticCryptographic EngineerCommented:
Sorry, typo on the version 3... version 2 templates for 2003, which will create a version 3 certificate.  This has been around for awhile now - pretty much everything should support it, if for some reason it doesn't check for an update.  Your AD environment should be at least 2003 native mode by now, I hope, in order to properly support the 2003 CA - if not, you might want to look into that if possible.

The old version 1 win2k template does not allow for the private key to be exported, so you would want to duplicate that in order to make the change.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davidduffy77Author Commented:
Successfully duplicated the Web Server template to a "Minimum Supported CAs = Server 2k3, Enterprise Ed" version 100.3 and imported the new template into the Certificate Template folder.  

Web server certificate successfully installed and exported (with private key)!

Thanks Paranormastic!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.