[Webinar] Streamline your web hosting managementRegister Today


How to make a Certificate Request on a Windows Server Core VM

Posted on 2010-04-06
Medium Priority
Last Modified: 2012-05-09
I need to make a certificate signing request on a Server Core VM. I have installed the IIS 7 Manager on another server but when I connect to the Web server the "Server Certificates" button is missing. I have tested this by connecting remotely to a "Full Installation" Web Server and I get the same result: no "Server Certificates" button. If i go on the console of the "Full Installation" Web Server I do get the "Server Certificates" button and can complete the request.
I have installed the "ClientCertificateMappingAuthentication" and the "CertificateMappingAuthentication" roles on the Server Core installation. I am out of ideas can anyone please help with this.
Question by:JK-PBS
  • 3
  • 3
  • 2
  • +1
LVL 14

Expert Comment

ID: 29923531
hmm, haven't tried this yet,, but can you try "certutil" to create a request? This is kind of tricky though...

Or you can create the request on a different server (use 2003 if you have) and export the certificate later, then just import it on core?

LVL 12

Expert Comment

ID: 29923726
do u have ad running ? if this true try following

To make sure that the Root certificate is published to each client, execute this command to publish it into Active Directory
certutil -dspublish C:\RootCA.cer RootCA
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 29924452
You need to create a 'request.inf' file and create the CSR using certreq.exe, not certutil.

Client certificate mapping deals with having the user provide a certificate to authenticate to your site during the SSL handshake. The cert is mapped to an existing user account.

The request.inf should look like this for a web server cert:

Signature="$Windows NT$"

ProviderName="Microsoft RSA SChannel Cryptographic Provider"
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment

OID= ; Server Authentication

You can create the CSR with this cmd:
certreq -new c:\temp\request.inf c:\temp\certrequest.txt
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 14

Expert Comment

ID: 29924570
yeah right, that was a typo :)
certreq is correct.
LVL 31

Expert Comment

ID: 29925620
When you get the issued cert, install with certutil.exe:
certutil -f -addstore My c:\temp\certname.cer

If you have problems, you may need to reassociate the private key.  Try this:
certutil -dump certname.cer | more
(break after first screen)
note the Serial Number value displayed. - use this as %SerialNumber%:

certutil -repairstore My %SerialNumber%

you can confirm that the private key is associated:
certutil -store My %SerialNumber%

If it is associated it should have something like this as the last line:
Encryption test passed

If it isn't associated then:
Missing stored keyset
Cannot load key: Key does not exist. 0x8009000d (-2146893811)
Encryption test FAILED

Author Closing Comment

ID: 31711413
That is a beautiful thing

Author Comment

ID: 30219094
Your solution is spot on thank you very much,
I called Microsoft support for help and received the following help:
3- People that called me to help. All three people told me that thid issue was beyond the scope of thier knowledge.
2- People of Microsoft Support that told me the are not familiar with the term "Server Core".
2- The amount of times I called Mirosoft Support and was dissconnected.
0 - The total amount of help that Microsoft Support provided.

Author Comment

ID: 30220117
To add
1- The person that failed to read the support ticket that said i was NOT available 24-7 and called me at 8:00PM ant night which was 6 hours after the support request was filled which was 2 hours beyond the 4 hour window that my support contract stated.
LVL 31

Expert Comment

ID: 30547151
Always glad to help out - that's why I'm here :)

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question