asked on
How to Issue Web SSL certificates at Enterprise level
We have a Windows Server 2008 ADCS in place. I have the need to install SSL certificates to around 3000 Windows 2000 servers.
For testing I have requested a CSR for the test servers and generated SSL certificates. But now we are ready to do this on the Production servers and we have close to 3000 of them.
1. How can we automate the creation of the CSRs. The app group can't possibly create 3000 CSRs ??
2. How can we automate the creation of the SSL certs ?? Is there some way of running this process in a batch file ?? through Certutil ??
For testing I have requested a CSR for the test servers and generated SSL certificates. But now we are ready to do this on the Production servers and we have close to 3000 of them.
1. How can we automate the creation of the CSRs. The app group can't possibly create 3000 CSRs ??
2. How can we automate the creation of the SSL certs ?? Is there some way of running this process in a batch file ?? through Certutil ??
Network SecurityWindows Server 2008Active Directory
Last Comment
Boilermaker85
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Boilermaker85:
Thank you for helping me.
Isn't a Web Server certificate the same as an SSL certificate ?? I am still new at this. Please tell me the difference. I know for sure that it is NOT 'machine' certs that we need. Is a Web Server certificate issued to the server DNS name and an SSL certificate issued to the website name that runs from that server ?? Will appreciate some exaplanation here. As far as I know, it is the same certificate template that I create both the SSL and Web Server certificates from.
The reason we need 3000 certs is because all these servers are identical, they run the same application. It is a POS (point-of-sale) application for a very BIG retail company.
I don't totally understand the Certreq statement examples you provided. According to my understanding,
Certreq - new.....is done to create a CSR....and it should be run on the target server
Certreq - submit....is done to generate the certificate....this is done at the Issuing CA
Certreq - accept....is done to install ?? the certificate....and it should be done at the target server
Please correct me if I am wrong....
Also, In your email you said you included an attachment of a sample .inf file. I didn't find it. I don't know how to access attachments on the Experts Exchange site.
I will really appreciate a fast reply. I am in a time binding with this project. Thanks.
Thank you for helping me.
Isn't a Web Server certificate the same as an SSL certificate ?? I am still new at this. Please tell me the difference. I know for sure that it is NOT 'machine' certs that we need. Is a Web Server certificate issued to the server DNS name and an SSL certificate issued to the website name that runs from that server ?? Will appreciate some exaplanation here. As far as I know, it is the same certificate template that I create both the SSL and Web Server certificates from.
The reason we need 3000 certs is because all these servers are identical, they run the same application. It is a POS (point-of-sale) application for a very BIG retail company.
I don't totally understand the Certreq statement examples you provided. According to my understanding,
Certreq - new.....is done to create a CSR....and it should be run on the target server
Certreq - submit....is done to generate the certificate....this is done at the Issuing CA
Certreq - accept....is done to install ?? the certificate....and it should be done at the target server
Please correct me if I am wrong....
Also, In your email you said you included an attachment of a sample .inf file. I didn't find it. I don't know how to access attachments on the Experts Exchange site.
I will really appreciate a fast reply. I am in a time binding with this project. Thanks.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
In order to automate this somewhat, you could generate an INF file for each server (must be stored as UNICODE), and put them in a central share. The INF file describes the server and cert needed. I have attached a sample inf file. Then you could write a script to run once on each server. This script would look like this
Certreq -new \\centralshare\sharename\%
\\centralshare\sharename\%
[where %computername% is the name of the device, ]
certreq –submit \\centralshare\sharename\%
\\centralshare\sharename\\
certreq -accept \\centralshare\sharename\%
This has the added advantage that all the INFs, REQs, and CERs are stored in that one share.