Solved

Windows 2008 requesting local CA certificate with just server name, not fqdn

Posted on 2011-09-22
9
418 Views
Last Modified: 2012-05-12
All of our servers get certificates when we bring them on our AD domain, but they get the fully qualified domain name such as server1.doman.com.  We have some applications that require us to have the certificate just read the name of the server, such as just "server1".  Whenever I go into the certificate snap-in and request a certificate, it always assigns it to the fqdn.  How can I get the certificate made out to just the server name only and NOT fqdn?
0
Comment
Question by:jpletcher1
  • 6
  • 3
9 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
Comment Utility
Several ways you can do it.

First, make a duplicate of your server auth template. Name it something like Server Authentication - FQDN so it's easy to differentiate from the original. Edit the new template. On the Subject Name tab select "Supply in Request". On the security tab make sure it has the correct permissions.

You can then specify the single name for the subject when you initiate the request from MMC.

You could also go directly to the CA at http://CAservername/certsrv but that is more trouble because after the cert is created you have to export it from the CA and import it to the server it is intended for.

Another option is to generate a CSR on the intended server then process it on the CA manually. Also more trouble.

No matter which method you use be sure to select the new template.
0
 

Author Comment

by:jpletcher1
Comment Utility
We have a root and intermediate CA in our Microsoft CA environment.  Which one would I make the duplicate template on?
0
 
LVL 8

Expert Comment

by:Shmoid
Comment Utility
Certificate templates are stored in the configuration partition of Active Directory so you could create/edit templates from any computer that has the certificate templates snap-in. However, once you create a new template you will then need to add it in the Certificate Authority on your Issuing CA so you might as well create the template from there as well. But again, the templates aren't actually on the CA.
0
 

Author Comment

by:jpletcher1
Comment Utility
These are my options for templates that are available.  I don't see any server auth ones.  Am I looking in the right place?
cert-templates.JPG
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
Comment Utility
Yes, you are looking in the right place.  I was thinking that Server Authentication was a default template but it's not. You can duplicate either Web Server or Computer. Both are default templates and both are computer certs. There are only two differences between them. Computer provides both client and server auth and and has a 1 year validity period.  Web Server provides only server auth and has a 2 year validity period. Since you are duplicating one of them and making changes to the duplicate it doesn't really matter which one. Just be sure to set the validity period to what you want and change the suplly in request option that will be available on the duplicate.

Than make it available in the Certificate Authority's templates folder.
0
 

Author Comment

by:jpletcher1
Comment Utility
Getting closer!  I have the Computer cert duplicated and I set the new template to specify the subject  name.  I added it to our CA.  I go to the server I want to get the certificate for and open MMC, computer certificate area.  Right click, all tasks, request new certificate.  Then when I go to set it up it still looks the same where my options for subject are the typical options and it doesn't give me the ability to specify my own.  I double checked the template and I did select the option to have the subject be specified.

Thanks for your continued support.
0
 

Author Comment

by:jpletcher1
Comment Utility
Here is a screen shot where I am still stuck.
cert2.JPG
0
 

Author Comment

by:jpletcher1
Comment Utility
Actually, when I use the new template and select to use  "common name", I can put in the server name and when it makes the cert it leaves the subject as the single name, not the fqdn.  So that's what I need.  Thanks for all your help!
0
 

Author Closing Comment

by:jpletcher1
Comment Utility
Thanks for the great and clear directions.  Just what I needed.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now