Link to home
Create AccountLog in
Avatar of msyed1
msyed1

asked on

How to Issue Web SSL certificates at Enterprise level

We have a Windows Server 2008 ADCS in place.  I have the need to install SSL certificates to around 3000 Windows 2000 servers.  

For testing I have requested a CSR for the test servers and generated SSL certificates.  But now we are ready to do this on the Production servers and we have close to 3000 of them.

1.  How can we automate the creation of the CSRs.  The app group can't possibly create 3000 CSRs ??  
2.  How can we automate the creation of the SSL certs ??  Is there some way of running this process in a batch file ?? through Certutil ??    
SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I am not sure why you need to generate 3000 "SSL certs". Do you mean 3000 web server certs? or 3000 Machine certs to be used by System Center or other MS domain authentication requirement? What template are you using for issuing these certs? IF indeed you need 3000 web server certs, I am not sure what sitename you would use for each, but lets assume it is the computername, and these are all part of that AD domain.

In order to automate this somewhat, you could generate an INF file for each server (must be stored as UNICODE), and put them in a central share. The INF file describes the server and cert needed. I have attached a sample inf file. Then you could write a script to run once on each server. This script would look like this
Certreq -new  \\centralshare\sharename\%computername%.inf
      \\centralshare\sharename\%computername%.req  
       [where  %computername% is the name of the device, ]
certreq –submit \\centralshare\sharename\%computername%.req
  \\centralshare\sharename\\%computername%.cer
certreq -accept \\centralshare\sharename\%computername%.cer

This has the added advantage that all the INFs, REQs, and CERs are stored in that one share.



Avatar of msyed1
msyed1

ASKER

Boilermaker85:

Thank you for helping me.

Isn't a Web Server certificate the same as an SSL certificate ??  I am still new at this.  Please tell me the difference.  I know for sure that it is NOT 'machine' certs that we need.  Is a Web Server certificate issued to the server DNS name and an SSL certificate issued to the website name that runs from that server ??  Will appreciate some exaplanation here.  As far as I know, it is the same certificate template that I create both the SSL and Web Server certificates from.  

The reason we need 3000 certs is because all these servers are identical, they run the same application.  It is a POS (point-of-sale) application for a very BIG retail company.  

I don't totally understand the Certreq statement examples you provided.  According to my understanding,
Certreq - new.....is done to create a CSR....and it should be run on the target server
Certreq - submit....is done to generate the certificate....this is done at the Issuing CA
Certreq - accept....is done to install ?? the certificate....and it should be done at the target server
Please correct me if I am wrong....

Also, In your email you said you included an attachment of a sample .inf file.  I didn't find it.  I don't know how to access attachments on the Experts Exchange site.  

I will really appreciate a fast reply.  I am in a time binding with this project.  Thanks.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.