How to Issue Web SSL certificates at Enterprise level

msyed1
msyed1 used Ask the Experts™
on
We have a Windows Server 2008 ADCS in place.  I have the need to install SSL certificates to around 3000 Windows 2000 servers.  

For testing I have requested a CSR for the test servers and generated SSL certificates.  But now we are ready to do this on the Production servers and we have close to 3000 of them.

1.  How can we automate the creation of the CSRs.  The app group can't possibly create 3000 CSRs ??  
2.  How can we automate the creation of the SSL certs ??  Is there some way of running this process in a batch file ?? through Certutil ??    
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010
Commented:
For Windows 2000 servers, there isn't a way to automate the certificate process. If you were using Windows 2003 servers or newer, you could leverage the Autoenrollment features of ADCS Enterprise CA. Autoenroll does not work with Windows 2000. There may be a way to script it, but with Windows 2000 you would likely need to use VBScript, which I am not familiar with.
I am not sure why you need to generate 3000 "SSL certs". Do you mean 3000 web server certs? or 3000 Machine certs to be used by System Center or other MS domain authentication requirement? What template are you using for issuing these certs? IF indeed you need 3000 web server certs, I am not sure what sitename you would use for each, but lets assume it is the computername, and these are all part of that AD domain.

In order to automate this somewhat, you could generate an INF file for each server (must be stored as UNICODE), and put them in a central share. The INF file describes the server and cert needed. I have attached a sample inf file. Then you could write a script to run once on each server. This script would look like this
Certreq -new  \\centralshare\sharename\%computername%.inf
      \\centralshare\sharename\%computername%.req  
       [where  %computername% is the name of the device, ]
certreq –submit \\centralshare\sharename\%computername%.req
  \\centralshare\sharename\\%computername%.cer
certreq -accept \\centralshare\sharename\%computername%.cer

This has the added advantage that all the INFs, REQs, and CERs are stored in that one share.



Author

Commented:
Boilermaker85:

Thank you for helping me.

Isn't a Web Server certificate the same as an SSL certificate ??  I am still new at this.  Please tell me the difference.  I know for sure that it is NOT 'machine' certs that we need.  Is a Web Server certificate issued to the server DNS name and an SSL certificate issued to the website name that runs from that server ??  Will appreciate some exaplanation here.  As far as I know, it is the same certificate template that I create both the SSL and Web Server certificates from.  

The reason we need 3000 certs is because all these servers are identical, they run the same application.  It is a POS (point-of-sale) application for a very BIG retail company.  

I don't totally understand the Certreq statement examples you provided.  According to my understanding,
Certreq - new.....is done to create a CSR....and it should be run on the target server
Certreq - submit....is done to generate the certificate....this is done at the Issuing CA
Certreq - accept....is done to install ?? the certificate....and it should be done at the target server
Please correct me if I am wrong....

Also, In your email you said you included an attachment of a sample .inf file.  I didn't find it.  I don't know how to access attachments on the Experts Exchange site.  

I will really appreciate a fast reply.  I am in a time binding with this project.  Thanks.
In the case of an application needing an SSL cert, they can use the same template as when getting an internal cert for a web site. They dont have to use the same template if you wanted to create a custom template just for this application. But if your CA is 2008 and your POS are WIndows 2000, I dont think the 2008 CA can make custom certs that WIn2k will like. So you should probably use the default web server template.

As for the certreq commands and where they are run, if the target computer and the issuing CA are network connected on the same domain, then all the commands can be executed on the target computer.  The issuing CA is obtained from AD when you issue the commands.  samplerequest.inf.txt

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial