Windows 2008 requesting local CA certificate with just server name, not fqdn

Posted on 2011-09-22
Last Modified: 2012-05-12
All of our servers get certificates when we bring them on our AD domain, but they get the fully qualified domain name such as  We have some applications that require us to have the certificate just read the name of the server, such as just "server1".  Whenever I go into the certificate snap-in and request a certificate, it always assigns it to the fqdn.  How can I get the certificate made out to just the server name only and NOT fqdn?
Question by:jpletcher1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3

Accepted Solution

Shmoid earned 500 total points
ID: 36584678
Several ways you can do it.

First, make a duplicate of your server auth template. Name it something like Server Authentication - FQDN so it's easy to differentiate from the original. Edit the new template. On the Subject Name tab select "Supply in Request". On the security tab make sure it has the correct permissions.

You can then specify the single name for the subject when you initiate the request from MMC.

You could also go directly to the CA at http://CAservername/certsrv but that is more trouble because after the cert is created you have to export it from the CA and import it to the server it is intended for.

Another option is to generate a CSR on the intended server then process it on the CA manually. Also more trouble.

No matter which method you use be sure to select the new template.

Author Comment

ID: 36585100
We have a root and intermediate CA in our Microsoft CA environment.  Which one would I make the duplicate template on?

Expert Comment

ID: 36587613
Certificate templates are stored in the configuration partition of Active Directory so you could create/edit templates from any computer that has the certificate templates snap-in. However, once you create a new template you will then need to add it in the Certificate Authority on your Issuing CA so you might as well create the template from there as well. But again, the templates aren't actually on the CA.
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?


Author Comment

ID: 36588296
These are my options for templates that are available.  I don't see any server auth ones.  Am I looking in the right place?

Assisted Solution

Shmoid earned 500 total points
ID: 36589204
Yes, you are looking in the right place.  I was thinking that Server Authentication was a default template but it's not. You can duplicate either Web Server or Computer. Both are default templates and both are computer certs. There are only two differences between them. Computer provides both client and server auth and and has a 1 year validity period.  Web Server provides only server auth and has a 2 year validity period. Since you are duplicating one of them and making changes to the duplicate it doesn't really matter which one. Just be sure to set the validity period to what you want and change the suplly in request option that will be available on the duplicate.

Than make it available in the Certificate Authority's templates folder.

Author Comment

ID: 36589693
Getting closer!  I have the Computer cert duplicated and I set the new template to specify the subject  name.  I added it to our CA.  I go to the server I want to get the certificate for and open MMC, computer certificate area.  Right click, all tasks, request new certificate.  Then when I go to set it up it still looks the same where my options for subject are the typical options and it doesn't give me the ability to specify my own.  I double checked the template and I did select the option to have the subject be specified.

Thanks for your continued support.

Author Comment

ID: 36589697
Here is a screen shot where I am still stuck.

Author Comment

ID: 36589902
Actually, when I use the new template and select to use  "common name", I can put in the server name and when it makes the cert it leaves the subject as the single name, not the fqdn.  So that's what I need.  Thanks for all your help!

Author Closing Comment

ID: 36589911
Thanks for the great and clear directions.  Just what I needed.

Featured Post

Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question