Windows 2008 requesting local CA certificate with just server name, not fqdn

Posted on 2011-09-22
Last Modified: 2012-05-12
All of our servers get certificates when we bring them on our AD domain, but they get the fully qualified domain name such as  We have some applications that require us to have the certificate just read the name of the server, such as just "server1".  Whenever I go into the certificate snap-in and request a certificate, it always assigns it to the fqdn.  How can I get the certificate made out to just the server name only and NOT fqdn?
Question by:jpletcher1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3

Accepted Solution

Shmoid earned 500 total points
ID: 36584678
Several ways you can do it.

First, make a duplicate of your server auth template. Name it something like Server Authentication - FQDN so it's easy to differentiate from the original. Edit the new template. On the Subject Name tab select "Supply in Request". On the security tab make sure it has the correct permissions.

You can then specify the single name for the subject when you initiate the request from MMC.

You could also go directly to the CA at http://CAservername/certsrv but that is more trouble because after the cert is created you have to export it from the CA and import it to the server it is intended for.

Another option is to generate a CSR on the intended server then process it on the CA manually. Also more trouble.

No matter which method you use be sure to select the new template.

Author Comment

ID: 36585100
We have a root and intermediate CA in our Microsoft CA environment.  Which one would I make the duplicate template on?

Expert Comment

ID: 36587613
Certificate templates are stored in the configuration partition of Active Directory so you could create/edit templates from any computer that has the certificate templates snap-in. However, once you create a new template you will then need to add it in the Certificate Authority on your Issuing CA so you might as well create the template from there as well. But again, the templates aren't actually on the CA.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 36588296
These are my options for templates that are available.  I don't see any server auth ones.  Am I looking in the right place?

Assisted Solution

Shmoid earned 500 total points
ID: 36589204
Yes, you are looking in the right place.  I was thinking that Server Authentication was a default template but it's not. You can duplicate either Web Server or Computer. Both are default templates and both are computer certs. There are only two differences between them. Computer provides both client and server auth and and has a 1 year validity period.  Web Server provides only server auth and has a 2 year validity period. Since you are duplicating one of them and making changes to the duplicate it doesn't really matter which one. Just be sure to set the validity period to what you want and change the suplly in request option that will be available on the duplicate.

Than make it available in the Certificate Authority's templates folder.

Author Comment

ID: 36589693
Getting closer!  I have the Computer cert duplicated and I set the new template to specify the subject  name.  I added it to our CA.  I go to the server I want to get the certificate for and open MMC, computer certificate area.  Right click, all tasks, request new certificate.  Then when I go to set it up it still looks the same where my options for subject are the typical options and it doesn't give me the ability to specify my own.  I double checked the template and I did select the option to have the subject be specified.

Thanks for your continued support.

Author Comment

ID: 36589697
Here is a screen shot where I am still stuck.

Author Comment

ID: 36589902
Actually, when I use the new template and select to use  "common name", I can put in the server name and when it makes the cert it leaves the subject as the single name, not the fqdn.  So that's what I need.  Thanks for all your help!

Author Closing Comment

ID: 36589911
Thanks for the great and clear directions.  Just what I needed.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question