How to make a Certificate Request on a Windows Server Core VM

I need to make a certificate signing request on a Server Core VM. I have installed the IIS 7 Manager on another server but when I connect to the Web server the "Server Certificates" button is missing. I have tested this by connecting remotely to a "Full Installation" Web Server and I get the same result: no "Server Certificates" button. If i go on the console of the "Full Installation" Web Server I do get the "Server Certificates" button and can complete the request.
I have installed the "ClientCertificateMappingAuthentication" and the "CertificateMappingAuthentication" roles on the Server Core installation. I am out of ideas can anyone please help with this.
JK-PBSAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wonko_the_SaneCommented:
hmm, haven't tried this yet,, but can you try "certutil" to create a request? This is kind of tricky though...

Or you can create the request on a different server (use 2003 if you have) and export the certificate later, then just import it on core?



0
acl-puzzCommented:
do u have ad running ? if this true try following

To make sure that the Root certificate is published to each client, execute this command to publish it into Active Directory
certutil -dspublish C:\RootCA.cer RootCA
0
ParanormasticCryptographic EngineerCommented:
You need to create a 'request.inf' file and create the CSR using certreq.exe, not certutil.

Client certificate mapping deals with having the user provide a certificate to authenticate to your site during the SSL handshake. The cert is mapped to an existing user account.

The request.inf should look like this for a web server cert:


[Version]
Signature="$Windows NT$"

[NewRequest]
Subject="C=US,S=YourState,L=YourCity,O=YourCompany,OU=YourOU,CN=Servername.domain.com"
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
;HashAlgorithm=sha1RSA
KeyLength=2048
KeyUsage = 0xF0     ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment
KeySpec=1

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication


You can create the CSR with this cmd:
certreq -new c:\temp\request.inf c:\temp\certrequest.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Wonko_the_SaneCommented:
yeah right, that was a typo :)
certreq is correct.
0
ParanormasticCryptographic EngineerCommented:
When you get the issued cert, install with certutil.exe:
certutil -f -addstore My c:\temp\certname.cer

If you have problems, you may need to reassociate the private key.  Try this:
certutil -dump certname.cer | more
(break after first screen)
note the Serial Number value displayed. - use this as %SerialNumber%:

certutil -repairstore My %SerialNumber%

you can confirm that the private key is associated:
certutil -store My %SerialNumber%

If it is associated it should have something like this as the last line:
Encryption test passed

If it isn't associated then:
Missing stored keyset
or
Cannot load key: Key does not exist. 0x8009000d (-2146893811)
Encryption test FAILED
0
JK-PBSAuthor Commented:
That is a beautiful thing
0
JK-PBSAuthor Commented:
Paranormastic,
Your solution is spot on thank you very much,
I called Microsoft support for help and received the following help:
3- People that called me to help. All three people told me that thid issue was beyond the scope of thier knowledge.
2- People of Microsoft Support that told me the are not familiar with the term "Server Core".
2- The amount of times I called Mirosoft Support and was dissconnected.
0 - The total amount of help that Microsoft Support provided.
0
JK-PBSAuthor Commented:
To add
1- The person that failed to read the support ticket that said i was NOT available 24-7 and called me at 8:00PM ant night which was 6 hours after the support request was filled which was 2 hours beyond the 4 hour window that my support contract stated.
0
ParanormasticCryptographic EngineerCommented:
Always glad to help out - that's why I'm here :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.