Solved

Certificate Services with Enterprise Root and Subject Alternative Name for Web Servers

Posted on 2011-03-10
2
1,309 Views
Last Modified: 2012-06-27
I am trying to get certificates with Subject Alternative Names going in my enterprise. I currently have an enterprise root CA running on Windows 2003 R2 Enterprise. The CA cert has been imported to all of my domain members via group policy years ago. That is working fine. I have a new Windows 2008 R2 Enterprise server which is a subordinate (enterprise?) CA. What I need to be able to do is issue Web Server and Computer certificates with Subject Alternative Names for some web servers and other servers related to Remote Desktop Gateway and Session Host servers.

The Technet Article "How to Request a Certificate With a Custom Subject Alternative " <http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx> says that I should not enable EDITF_ATTRIBUTESUBJECTALTNAME2 because it's a security problem for Enterprise CAs.

When following the instructions for Certificate Enrollment wizard with an enterprise CA, the Web Server Certificate is not available. Only the Computer template is available. It says that I don't have permissions to request the other certificate types.

When I have my new subordinate CA running, my plan is to power down my W2K3R2 root CA.
0
Comment
Question by:kevinhsieh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 35143400
You need to make sure you have permission to enroll web certificates on your CA. If you are a domain admin or enterprise admin, you should already have permission, but to check, run MMC on your CA and open the Certificate Templates snap-in. Find the Web Server certificate in the list, right click, select properties, then go to the security tab and make sure your account or a group you belong to has Enroll permission.
0
 
LVL 42

Author Closing Comment

by:kevinhsieh
ID: 35162449
Well, you were close. As an Enterprise Admin, I had permissions to the template. I could enroll a a web server certificate from IIS, but not from the local certificate manager. It turns out that the MACHINE needed permissions to the template. I created a new group in AD, added the appropriate servers, and then gave that group permission to enroll the certificate. I was then able to do it successfully after rebooting the machines.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question