Certificate Services on Windows 2008

I have a 3 domain Active Directory forest that I'm using as a test lab (forest root and two child domains), where all domain controllers are Windows 2008 x64 Enterprise. I have put Certificate Services on the forest root DC along with web enrollment pages and I'm trying to enroll for a machine certificte for an ISA 2006 server running on Windows 2003 x86 via web enrolment, but I can not see the option for storing the certificate in the local computer store. IfI accept the default options, the certificate goes into the local user store, and the option to export the private key isn't available. This is evident in the web enrolment pages, where the 'mark private key as exportable' option is greyed out for the default Web Server certificate.

This link from Brian Komar seeme to indicate tht the option is no longer available, but doesn't explain why or what the alternative is:

http://www.eggheadcafe.com/software/aspnet/33412714/store-certificate-in-the.aspx

I've seen various alternative suggestions such as requesting one via an IIS interface, but in IIS I can not see the option to enroll for a SAN certificate, because I need multiple names for ISA listeners, so a single name cert is no good to me.

I have seen articles concerning issues between Vista, and Windows 2003 CAs, but this is nothing to do with that, as this is a 2008 CA not a 2003.

I have tried to enroll a certificate direct from the CA itself (i.e. a 2008 box), but the option to store the cert in the machine store isn't available even from there.

I've uninstalled the whole certificate authority heiarchy and reinstalled, in the hope that thsi might work, but the results are the same.

To be honest, I don't care if this will never work again in web enrolment, just so long as there's some tool I can use to enroll a SAN certificate rom a 2008 server for a cert I can use on a 2003 server.
tbennett35Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tbennett35Author Commented:
Just to add, I've also tried/removed/reinstalled this on various 2008 servers in the forest (all DCs, not members), with the same result. I've also patched the 2008 server fully with all of the latest that MS has to offer via Windows Updates (no luck with either).
0
ParanormasticCryptographic EngineerCommented:
A couple things here...

1) Machine cert probably isn't what you are looking for - you probably want to submit a web server cert instead after generating a CSR.  This can be done through IIS on any box, as you mentioned.  When submitting, visit the http://caservername/certsrv page and select the 1st then 2nd link.  The SAN can be entered into the Attributes box:  SAN:dns="servername.domain.com"&dns="servername"&dns="servername.domain.local"&ipaddress="192.168.0.1"

Make sure the subject name of the cert is also included in the SAN list.


2) You should also be able to open up the Certificates MMC and select the local computer context, this may still show up under your user context though since you are accessing it as a user.  If it does, you can add the Certificates snapin twice to the MMC console - one for user and one for computer, then just click and drag from one to the other.

3) I would suggest autoenrollment for machine certs -this will install to the computer store, however I'm sure you are already thinking it - this doesn't work well for SANs.
0
ParanormasticCryptographic EngineerCommented:
Side note: in IIS you don't see the option for SAN cert as it is done when submitting the CSR to the CA via the certsrv page as I mentioned above.  This is just a different way and isn't quite as nice as the wizard method from the certificates mmc.

After you install the cert back into IIS (you can create the CSR from a temp site so it doesn't affect other sites), you can export it including the private key to a .pfx file, then copy that over to the ISA box to import it there.  When you install it, make sure to manually select, then browse to select store and checkmark on for 'show physical stores' and then select personal store.
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

tbennett35Author Commented:
Sorry, I'm probably confusing the issue with my bad terminology. When I referred to machine cert, I just meant a cert I could install to the local machine store for the ISA listener, so apologies for that.

I did try moving the cert between stores, but ISA wouldn'trecognise the cert (it did, but not in a way it would accept, because it said there was a key error. Haven't tried again since reinstalling the CA, because I didn't see the 'store in local machine' option).
I'll try out what you suggested and get back.

Thanks
0
ParanormasticCryptographic EngineerCommented:
You can also export from the Certificates MMC and just remember to include the private key, then import the same way.

You might want to read this article also, if you run into problems getting the SAN names to work after you get the cert working:
http://theessentialexchange.com/blogs/michael/archive/2008/05/07/isa-2006-and-san-uc-certificates.aspx
0
tbennett35Author Commented:
I might have uncovered another issue here...
While the issue I originally raised is still true, I requested a certificate for ISA which got installed to the local user store, so I moved it to the local machine store. When I try to add it to an ISA listener, I can see it but its red (invalid), with the reason being that there is a 'private key handle error' (same as before).

I'll try and find out what this means, but if you have any ideas, I'd be happy to hear them...

Thanks for your advice so far.
0
tbennett35Author Commented:
Ok, I've managed to achieve the end result I wanted, but it wasn't exactly pretty...

As this is an ISA server making the request, I had to allow the traffic to the CA, which I'd done for Web Enrolment, but not for the ports it requires when making the request via the console. I looked for the traffic being denied in the ISA log, and opened the ports, but the certificates mmc still didn't like it, even though at that time I couldn't see any more blocked traffic (god, I love and hate ISA at the same time!). So instead, I made the request for the cert on the Root DC itself, and added SAN names and checked 'mark as exportable', then I exported from the root DC, and imported into the local store on the ISA...success!

At least I know how to get round this now, but there's got to be a better way of doing it than this surely? Never had any of this trouble on Windows 2003, and gotta say, its putting me off using Windows 2008 if I'm going to get this hassle everytime I want to do, what was on windows 2003, a simple task. Anyway, there's my moan over.

Anyhows...is this as good as it gets on 2008?
0
ParanormasticCryptographic EngineerCommented:
personally i think the export/import method is the easiest, but here are a few things you can read through.

Part of the issue is that cert services uses dcom, which is a dynamic port.
For the CA, you need:
RPC TCP 135
Randomly allocated high TCP ports
  03- random port number between 1024 - 65535 for 2003
  08- random port number between 49152 - 65535 for 2008

You can make the dcom port static if you like.  Read this carefully:
http://blogs.msdn.com/john_daskalakis/archive/2009/02/05/9397926.aspx

http://itbloggen.se/cs/blogs/hasain/archive/2009/04/28/fixed-port-for-the-quot-certsrv-request-quot-rpc-dcom-component-in-windows-server-2008.aspx

http://blogs.isaserver.org/pouseele/2007/10/12/certificate-enrollment-requires-a-custom-protocol/

Also note that you need other ports like 80 open for web enrollment page, and if your CA were in a DMZ you would need AD ports open to talk to the DC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tbennett35Author Commented:
Happy to award the points, given the assistance you gave.

Much appreciated...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.