Creating a computer SAN certificate using Windows Server 2008

Hi Everyone,

I am trying to setup a Windows Server 2008 TS Gateway server. This requires that I obtain a SSL certificate for the TS Gateway server which has a Subject Alternative Name of the external DNS name which RDP clients will be using to connect.

Currently we have a Certificate Services Enterprise Root CA installed on a Windows Server 2008 Enterprise server. This server is used for our internal PKI infrastructure.

When I connect to the certificate server web enroll page http://%mycertserver%/certsrv and request a new advanced certificate, the templates drop down menu does not give me the 'computer' option. I have tried duplicating the computer template on the Certificates Templates MMC and issuing this template to the Enterprise CA. Still no show in the web site.

I have also tried opening an mmc console on the ts gateway server and adding in the certificates snapin for ocal computer.  I then right click on Personal > All Task > Advanced operations > Create Custom Request. Then run through the wizard finally a outputing a CRS file. See below.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIID4DCCAsgCAQAwGjEYMBYGA1UEAwwPdHNndy5jZG0uY29tLmF1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6GTkQWOqPcmZafY6MIDbnRT9p2p8eIGE
y41DJDhZ3yJJ2M35S3xVLJw1NyA1x6ogIIWUbUxrdLID7DRqhQLyTJO20VhpQYmF
BAb2tk7pevKG/8yT0czOCRQICVaWo4DBBFxL+tbXl0MBDjfcAfwo7tSDfrFNSjm3
4BUWv+liV/GJS+PW+qbC6/nKdwAVyeVGIfiYSufXNqbho9sQJ+4cRm2MD7BHU2pE
SjWWSwnFoc67e/F6Vmb6prL/p5AZrE6/gUlcubOXcAbJqLxCdIBVWcYgORlLzV8m
dABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDAQAwgZcGCSqGSIb3
DQEJDjGBiTCBhjAdBgkrBgEEAYI3FAIEEB4OAE0AYQBjAGgAaQBuAGUwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAaBgNVHREEEzAR
gg90c2d3LmNkbS5jb20uYXUwHQYDVR0OBBYEFBrwmJnAKZHnHoSed/hWFJ6s/pNP
MA0GCSqGSIb3DQEBBQUAA4IBAQDM+U/N6dSgcyiDrVY1tG871MD70xTwclUZpyZ1
e8YLdCeoSkJXr9R+XbPBrVNKxBz5gqaofohaRx+AzVsnRUn2+xKg7uojOuU1SM6R
uCGybmMbWCwvStBjUEFRL0Oh5gxWpnUIXvUHVNASr8OkM3ZYt0OJtf0x1XCJkZf5
FKZ8LwaHUdPcyAMRyIX3vWa+CBMZA/L5bp/WRslShkIHQp9wxqDckFZ5D/rf9Tgi
eNNfLh5E6+v1hT6KBTlUf+dcL5ZYNBrJViFfwvMNpuLXCmQYSUmgbw0sWDqPZZxy
pIdMlJ5GWxi/+z4JQ8Ad3RMUUHp8VrnA7o61Xn6HF9xMaybV
-----END NEW CERTIFICATE REQUEST-----


I then try a advanced request via the certificate server website and I am still required to select a template..... still no computer option.

Can anybody please explain how the computer SAN certificates works on Windows Server 2008 and the steps involved?

Thanks...
amerretzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Did you copy your CSR exactly?  Your CSR is corrupt...  You can check with:
certutil -dump filename.csr
If you see a bunch of hex on the left like this, its corrupt.  Might try making another one.

SAN has nothing to do with templates, it enabled one cert to be valid for multiple names.  You need to enable SAN on your issuing CA first:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

In the Attribute field on the certsrv page after you select the template you would put in:
san:dns=subject.domain.com&dns=alias1.domain.com&IP=192.168.0.1&dns=alias2.domain.com&dns=hostname

When entering the SAN make sure to enter the value of the Subject as a SAN value as well.  (i.e. you created the CSR for tsgw.domain.com.au you need to have tsgw.domain.com.au in the SAN as well if you use another DNS name in the SAN field).

In the Certificate Templates MMC, in the template's properties check the Security tab and make sure the user account you are visiting the certsrv page with has both Read and Enroll permissions at minimum.  Make sure there aren't any denies.  Otherwise, you might need to allow the ActiveX control to load in your browser (internet options - programs tab - manage add-ons button - CEnroll Class should be enabled) - usually works best if you use IE instead of FF, etc. for this process.

I think that'll probably get you going, if not we'll go from here.
amerretzAuthor Commented:
Hi Paranormastic,

This question actually relates to the last one you solved for me.

Now that I have installed a Ent Root CA (domain joined) on Windows Server 2008 Ent, I am able to create and issue certificate templates to the CA. The 2008 Cert Website by default does not give you computer certificate template options and if you request a certificate from the personal mmc section the default computer certificate does not allow custom SAN names. I have tried this and its continually uses the real computer that I am requesting from. You are also unable to edit the default computer template because it is a version 1 template.

The way I have worked it out is that you duplicate the default computer certificate template in the certificate templates mmc and within the 'Subject Name' tab select 'Supply in Request'. Once finished, go to certificate templates within the CA, right click > new > Certificate template to issue. Iv'e noticed that you may have to wait for it to appear in the following list.

Now if you go back to the computer certificates mmc, right click personal > All Tasks > Request New Cetificate. You now should see that the newly duplicated computer template is available. (Note: For some reason it may take some time for it to even show up ?????). The certificate template should have a warning symbol on it stating more information is needed. Drop down the little details arrows, click properties, subject name 'type' should be changed to 'common name', add in the value of your external domain A record. E.g. tsgw.mydomain.com      ........... Now below that under alternative name select type 'DNS' and value add in the external DNS A record name again. E.g. tsgw.mydomain.com.    

Hey presto! You should now have a certificate with whatever name you specified.

Does this really need to be this complicated??????? Hope this description helps out some else one day.

I need a beer.........

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Yes, you need to duplicate a v1 template to make it v2 so you can modify most useful attributes.  This is common - v1 is now more of a template for a template, so to speak.

Changes to templates (additions, deletions, modifications) need to be replicated in AD before they are available - a 'brief' wait (up to 15 minutes typcially) is normal.

Just because you enable extra attributes does not mean 9/10 times that they are actually required.  SAN is never required, just available after you enable the registry key for it on the issuing CA.

When you do SAN's make sure you remember to add the value that is the primary "Subject" name into the SAN list as well with the rest, otherwise most applications won't take the originally issued name.  Don't look at me - I didn't make it that way!  Just a caveat of the technology I guess...

Everything in PKI is complicated :)  Your process is exactly what needs to be done - thanks for a nice concise writeup.

Seconded on the beer...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.