I have a 3 domain Active Directory forest that I'm using as a test lab (forest root and two child domains), where all domain controllers are Windows 2008 x64 Enterprise. I have put Certificate Services on the forest root DC along with web enrollment pages and I'm trying to enroll for a machine certificte for an ISA 2006 server running on Windows 2003 x86 via web enrolment, but I can not see the option for storing the certificate in the local computer store. IfI accept the default options, the certificate goes into the local user store, and the option to export the private key isn't available. This is evident in the web enrolment pages, where the 'mark private key as exportable' option is greyed out for the default Web Server certificate.
This link from Brian Komar seeme to indicate tht the option is no longer available, but doesn't explain why or what the alternative is:
I've seen various alternative suggestions such as requesting one via an IIS interface, but in IIS I can not see the option to enroll for a SAN certificate, because I need multiple names for ISA listeners, so a single name cert is no good to me.
I have seen articles concerning issues between Vista, and Windows 2003 CAs, but this is nothing to do with that, as this is a 2008 CA not a 2003.
I have tried to enroll a certificate direct from the CA itself (i.e. a 2008 box), but the option to store the cert in the machine store isn't available even from there.
I've uninstalled the whole certificate authority heiarchy and reinstalled, in the hope that thsi might work, but the results are the same.
To be honest, I don't care if this will never work again in web enrolment, just so long as there's some tool I can use to enroll a SAN certificate rom a 2008 server for a cert I can use on a 2003 server.