Creating a computer SAN certificate using Windows Server 2008

amerretz used Ask the Experts™
Hi Everyone,

I am trying to setup a Windows Server 2008 TS Gateway server. This requires that I obtain a SSL certificate for the TS Gateway server which has a Subject Alternative Name of the external DNS name which RDP clients will be using to connect.

Currently we have a Certificate Services Enterprise Root CA installed on a Windows Server 2008 Enterprise server. This server is used for our internal PKI infrastructure.

When I connect to the certificate server web enroll page http://%mycertserver%/certsrv and request a new advanced certificate, the templates drop down menu does not give me the 'computer' option. I have tried duplicating the computer template on the Certificates Templates MMC and issuing this template to the Enterprise CA. Still no show in the web site.

I have also tried opening an mmc console on the ts gateway server and adding in the certificates snapin for ocal computer.  I then right click on Personal > All Task > Advanced operations > Create Custom Request. Then run through the wizard finally a outputing a CRS file. See below.


I then try a advanced request via the certificate server website and I am still required to select a template..... still no computer option.

Can anybody please explain how the computer SAN certificates works on Windows Server 2008 and the steps involved?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ParanormasticCryptographic Engineer
Did you copy your CSR exactly?  Your CSR is corrupt...  You can check with:
certutil -dump filename.csr
If you see a bunch of hex on the left like this, its corrupt.  Might try making another one.

SAN has nothing to do with templates, it enabled one cert to be valid for multiple names.  You need to enable SAN on your issuing CA first:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

In the Attribute field on the certsrv page after you select the template you would put in:

When entering the SAN make sure to enter the value of the Subject as a SAN value as well.  (i.e. you created the CSR for you need to have in the SAN as well if you use another DNS name in the SAN field).

In the Certificate Templates MMC, in the template's properties check the Security tab and make sure the user account you are visiting the certsrv page with has both Read and Enroll permissions at minimum.  Make sure there aren't any denies.  Otherwise, you might need to allow the ActiveX control to load in your browser (internet options - programs tab - manage add-ons button - CEnroll Class should be enabled) - usually works best if you use IE instead of FF, etc. for this process.

I think that'll probably get you going, if not we'll go from here.
Hi Paranormastic,

This question actually relates to the last one you solved for me.

Now that I have installed a Ent Root CA (domain joined) on Windows Server 2008 Ent, I am able to create and issue certificate templates to the CA. The 2008 Cert Website by default does not give you computer certificate template options and if you request a certificate from the personal mmc section the default computer certificate does not allow custom SAN names. I have tried this and its continually uses the real computer that I am requesting from. You are also unable to edit the default computer template because it is a version 1 template.

The way I have worked it out is that you duplicate the default computer certificate template in the certificate templates mmc and within the 'Subject Name' tab select 'Supply in Request'. Once finished, go to certificate templates within the CA, right click > new > Certificate template to issue. Iv'e noticed that you may have to wait for it to appear in the following list.

Now if you go back to the computer certificates mmc, right click personal > All Tasks > Request New Cetificate. You now should see that the newly duplicated computer template is available. (Note: For some reason it may take some time for it to even show up ?????). The certificate template should have a warning symbol on it stating more information is needed. Drop down the little details arrows, click properties, subject name 'type' should be changed to 'common name', add in the value of your external domain A record. E.g.      ........... Now below that under alternative name select type 'DNS' and value add in the external DNS A record name again. E.g.    

Hey presto! You should now have a certificate with whatever name you specified.

Does this really need to be this complicated??????? Hope this description helps out some else one day.

I need a beer.........
ParanormasticCryptographic Engineer

Yes, you need to duplicate a v1 template to make it v2 so you can modify most useful attributes.  This is common - v1 is now more of a template for a template, so to speak.

Changes to templates (additions, deletions, modifications) need to be replicated in AD before they are available - a 'brief' wait (up to 15 minutes typcially) is normal.

Just because you enable extra attributes does not mean 9/10 times that they are actually required.  SAN is never required, just available after you enable the registry key for it on the issuing CA.

When you do SAN's make sure you remember to add the value that is the primary "Subject" name into the SAN list as well with the rest, otherwise most applications won't take the originally issued name.  Don't look at me - I didn't make it that way!  Just a caveat of the technology I guess...

Everything in PKI is complicated :)  Your process is exactly what needs to be done - thanks for a nice concise writeup.

Seconded on the beer...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial