[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How to make a Certificate Request on a Windows Server Core VM

Posted on 2010-04-06
9
Medium Priority
?
5,303 Views
Last Modified: 2012-05-09
I need to make a certificate signing request on a Server Core VM. I have installed the IIS 7 Manager on another server but when I connect to the Web server the "Server Certificates" button is missing. I have tested this by connecting remotely to a "Full Installation" Web Server and I get the same result: no "Server Certificates" button. If i go on the console of the "Full Installation" Web Server I do get the "Server Certificates" button and can complete the request.
I have installed the "ClientCertificateMappingAuthentication" and the "CertificateMappingAuthentication" roles on the Server Core installation. I am out of ideas can anyone please help with this.
0
Comment
Question by:JK-PBS
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 14

Expert Comment

by:Wonko_the_Sane
ID: 29923531
hmm, haven't tried this yet,, but can you try "certutil" to create a request? This is kind of tricky though...

Or you can create the request on a different server (use 2003 if you have) and export the certificate later, then just import it on core?



0
 
LVL 12

Expert Comment

by:acl-puzz
ID: 29923726
do u have ad running ? if this true try following

To make sure that the Root certificate is published to each client, execute this command to publish it into Active Directory
certutil -dspublish C:\RootCA.cer RootCA
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 29924452
You need to create a 'request.inf' file and create the CSR using certreq.exe, not certutil.

Client certificate mapping deals with having the user provide a certificate to authenticate to your site during the SSL handshake. The cert is mapped to an existing user account.

The request.inf should look like this for a web server cert:


[Version]
Signature="$Windows NT$"

[NewRequest]
Subject="C=US,S=YourState,L=YourCity,O=YourCompany,OU=YourOU,CN=Servername.domain.com"
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
;HashAlgorithm=sha1RSA
KeyLength=2048
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment
KeySpec=1

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication


You can create the CSR with this cmd:
certreq -new c:\temp\request.inf c:\temp\certrequest.txt
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 14

Expert Comment

by:Wonko_the_Sane
ID: 29924570
yeah right, that was a typo :)
certreq is correct.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 29925620
When you get the issued cert, install with certutil.exe:
certutil -f -addstore My c:\temp\certname.cer

If you have problems, you may need to reassociate the private key.  Try this:
certutil -dump certname.cer | more
(break after first screen)
note the Serial Number value displayed. - use this as %SerialNumber%:

certutil -repairstore My %SerialNumber%

you can confirm that the private key is associated:
certutil -store My %SerialNumber%

If it is associated it should have something like this as the last line:
Encryption test passed

If it isn't associated then:
Missing stored keyset
or
Cannot load key: Key does not exist. 0x8009000d (-2146893811)
Encryption test FAILED
0
 

Author Closing Comment

by:JK-PBS
ID: 31711413
That is a beautiful thing
0
 

Author Comment

by:JK-PBS
ID: 30219094
Paranormastic,
Your solution is spot on thank you very much,
I called Microsoft support for help and received the following help:
3- People that called me to help. All three people told me that thid issue was beyond the scope of thier knowledge.
2- People of Microsoft Support that told me the are not familiar with the term "Server Core".
2- The amount of times I called Mirosoft Support and was dissconnected.
0 - The total amount of help that Microsoft Support provided.
0
 

Author Comment

by:JK-PBS
ID: 30220117
To add
1- The person that failed to read the support ticket that said i was NOT available 24-7 and called me at 8:00PM ant night which was 6 hours after the support request was filled which was 2 hours beyond the 4 hour window that my support contract stated.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 30547151
Always glad to help out - that's why I'm here :)
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question