Solved

Windows 2008 requesting local CA certificate with just server name, not fqdn

Posted on 2011-09-22
9
422 Views
Last Modified: 2012-05-12
All of our servers get certificates when we bring them on our AD domain, but they get the fully qualified domain name such as server1.doman.com.  We have some applications that require us to have the certificate just read the name of the server, such as just "server1".  Whenever I go into the certificate snap-in and request a certificate, it always assigns it to the fqdn.  How can I get the certificate made out to just the server name only and NOT fqdn?
0
Comment
Question by:jpletcher1
  • 6
  • 3
9 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36584678
Several ways you can do it.

First, make a duplicate of your server auth template. Name it something like Server Authentication - FQDN so it's easy to differentiate from the original. Edit the new template. On the Subject Name tab select "Supply in Request". On the security tab make sure it has the correct permissions.

You can then specify the single name for the subject when you initiate the request from MMC.

You could also go directly to the CA at http://CAservername/certsrv but that is more trouble because after the cert is created you have to export it from the CA and import it to the server it is intended for.

Another option is to generate a CSR on the intended server then process it on the CA manually. Also more trouble.

No matter which method you use be sure to select the new template.
0
 

Author Comment

by:jpletcher1
ID: 36585100
We have a root and intermediate CA in our Microsoft CA environment.  Which one would I make the duplicate template on?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36587613
Certificate templates are stored in the configuration partition of Active Directory so you could create/edit templates from any computer that has the certificate templates snap-in. However, once you create a new template you will then need to add it in the Certificate Authority on your Issuing CA so you might as well create the template from there as well. But again, the templates aren't actually on the CA.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jpletcher1
ID: 36588296
These are my options for templates that are available.  I don't see any server auth ones.  Am I looking in the right place?
cert-templates.JPG
0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36589204
Yes, you are looking in the right place.  I was thinking that Server Authentication was a default template but it's not. You can duplicate either Web Server or Computer. Both are default templates and both are computer certs. There are only two differences between them. Computer provides both client and server auth and and has a 1 year validity period.  Web Server provides only server auth and has a 2 year validity period. Since you are duplicating one of them and making changes to the duplicate it doesn't really matter which one. Just be sure to set the validity period to what you want and change the suplly in request option that will be available on the duplicate.

Than make it available in the Certificate Authority's templates folder.
0
 

Author Comment

by:jpletcher1
ID: 36589693
Getting closer!  I have the Computer cert duplicated and I set the new template to specify the subject  name.  I added it to our CA.  I go to the server I want to get the certificate for and open MMC, computer certificate area.  Right click, all tasks, request new certificate.  Then when I go to set it up it still looks the same where my options for subject are the typical options and it doesn't give me the ability to specify my own.  I double checked the template and I did select the option to have the subject be specified.

Thanks for your continued support.
0
 

Author Comment

by:jpletcher1
ID: 36589697
Here is a screen shot where I am still stuck.
cert2.JPG
0
 

Author Comment

by:jpletcher1
ID: 36589902
Actually, when I use the new template and select to use  "common name", I can put in the server name and when it makes the cert it leaves the subject as the single name, not the fqdn.  So that's what I need.  Thanks for all your help!
0
 

Author Closing Comment

by:jpletcher1
ID: 36589911
Thanks for the great and clear directions.  Just what I needed.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question