Third party certificate renewal on a 2003 domain controller.

Posted on 2010-01-06
Last Modified: 2012-11-06

We have a 2003 domain with multiple domain controllers.    On each domain controller has a third party certificate that is used for ldaps.    The process that we used initially was based on the following microsoft kb..

The certificates are now up for renewal  {in a month or so} and I am trying to figure out how to renew these.    I have bumped across a few articles mentioning different items to put in the request.inf file but they are somewhat unclear at to what all is needed.

 I could just remove the current certificates and run through the process again but I woulld prefer to renew these if possible  {it is a bit cheaper :) }   Any insights would be appreciated.
Question by:fertigj
    1 Comment
    LVL 31

    Accepted Solution

    "renewal" just really comes down to that you click that button as a returning customer for the same site name.  If you have the original CSR, just use that again, and after installing the new cert using Certificates MMC - Computer context - Personal - Certificates then open the cert and grab the thumbprint and copy that into Notepad - replace all spaces with nothing then copy the result - open cmd - 'certutil -repairstore My %right-click - paste thumbprint%'  Since it is a DC you will need to reboot the server (not just restart services) for the new cert to go into effect.

    Otherwise you can see if you already have a request.inf file and create a new 'certreq -new c:\temp\request.inf DC1.csr'

    If you need a new request.inf, here you go:

    Signature="$Windows NT$"
    ; To create CSR file run this from cmd
    ; certreq -new policy.inf YourServer.csr
    ; If issuing from your own internal CA run this from cmd
    ; certreq -submit -config CASERVER.DNS.NAME\CAName YourServer.csr YourServer.cer
    Subject="CN=DC1.YourDomain.local"  ; enter FQDN here - must be FQDN not another name
    EncipherOnly = FALSE   ; this seemed to cause a problem in 2008 Server CA for some reason - if having problems comment this line out
    ProviderName="Microsoft RSA SChannel Cryptographic Provider"
    KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
    OID= ; Server Authentication
    OID= ; Client Authentication
    OID= ; Smart Card Logon - include even if you don't use SC right now
    CertificateTemplate = WebServer ;Omit  line if CA is a stand-alone CA or commercial or other non-MS CA
    SAN = "dns=server1.domain.local&&dns=server1&dns=ldap.domain.local&dns=server1&ipaddress="

    Open in new window


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now