• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 701
  • Last Modified:

Third party certificate renewal on a 2003 domain controller.

Hello..

We have a 2003 domain with multiple domain controllers.    On each domain controller has a third party certificate that is used for ldaps.    The process that we used initially was based on the following microsoft kb..

http://support.microsoft.com/kb/321051

The certificates are now up for renewal  {in a month or so} and I am trying to figure out how to renew these.    I have bumped across a few articles mentioning different items to put in the request.inf file but they are somewhat unclear at to what all is needed.

 I could just remove the current certificates and run through the process again but I woulld prefer to renew these if possible  {it is a bit cheaper :) }   Any insights would be appreciated.
0
fertigj
Asked:
fertigj
1 Solution
 
ParanormasticCryptographic EngineerCommented:
"renewal" just really comes down to that you click that button as a returning customer for the same site name.  If you have the original CSR, just use that again, and after installing the new cert using Certificates MMC - Computer context - Personal - Certificates then open the cert and grab the thumbprint and copy that into Notepad - replace all spaces with nothing then copy the result - open cmd - 'certutil -repairstore My %right-click - paste thumbprint%'  Since it is a DC you will need to reboot the server (not just restart services) for the new cert to go into effect.

Otherwise you can see if you already have a request.inf file and create a new 'certreq -new c:\temp\request.inf DC1.csr'

If you need a new request.inf, here you go:

[Version]
Signature="$Windows NT$"
; To create CSR file run this from cmd
; certreq -new policy.inf YourServer.csr
;
; If issuing from your own internal CA run this from cmd
; certreq -submit -config CASERVER.DNS.NAME\CAName YourServer.csr YourServer.cer


[NewRequest]
Subject="CN=DC1.YourDomain.local"  ; enter FQDN here - must be FQDN not another name
EncipherOnly = FALSE   ; this seemed to cause a problem in 2008 Server CA for some reason - if having problems comment this line out
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
KeyLength=2048
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment ; Alternative 0xA0 for DigSig & Key Encipher only
KeySpec=1
SMIME=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon - include even if you don't use SC right now

[RequestAttributes]
CertificateTemplate = WebServer ;Omit  line if CA is a stand-alone CA or commercial or other non-MS CA
SAN = "dns=server1.domain.local&&dns=server1&dns=ldap.domain.local&dns=server1&ipaddress=192.168.0.1"

Open in new window

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now