Solved

Windows 2008 requesting local CA certificate with just server name, not fqdn

Posted on 2011-09-22
9
420 Views
Last Modified: 2012-05-12
All of our servers get certificates when we bring them on our AD domain, but they get the fully qualified domain name such as server1.doman.com.  We have some applications that require us to have the certificate just read the name of the server, such as just "server1".  Whenever I go into the certificate snap-in and request a certificate, it always assigns it to the fqdn.  How can I get the certificate made out to just the server name only and NOT fqdn?
0
Comment
Question by:jpletcher1
  • 6
  • 3
9 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36584678
Several ways you can do it.

First, make a duplicate of your server auth template. Name it something like Server Authentication - FQDN so it's easy to differentiate from the original. Edit the new template. On the Subject Name tab select "Supply in Request". On the security tab make sure it has the correct permissions.

You can then specify the single name for the subject when you initiate the request from MMC.

You could also go directly to the CA at http://CAservername/certsrv but that is more trouble because after the cert is created you have to export it from the CA and import it to the server it is intended for.

Another option is to generate a CSR on the intended server then process it on the CA manually. Also more trouble.

No matter which method you use be sure to select the new template.
0
 

Author Comment

by:jpletcher1
ID: 36585100
We have a root and intermediate CA in our Microsoft CA environment.  Which one would I make the duplicate template on?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36587613
Certificate templates are stored in the configuration partition of Active Directory so you could create/edit templates from any computer that has the certificate templates snap-in. However, once you create a new template you will then need to add it in the Certificate Authority on your Issuing CA so you might as well create the template from there as well. But again, the templates aren't actually on the CA.
0
 

Author Comment

by:jpletcher1
ID: 36588296
These are my options for templates that are available.  I don't see any server auth ones.  Am I looking in the right place?
cert-templates.JPG
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36589204
Yes, you are looking in the right place.  I was thinking that Server Authentication was a default template but it's not. You can duplicate either Web Server or Computer. Both are default templates and both are computer certs. There are only two differences between them. Computer provides both client and server auth and and has a 1 year validity period.  Web Server provides only server auth and has a 2 year validity period. Since you are duplicating one of them and making changes to the duplicate it doesn't really matter which one. Just be sure to set the validity period to what you want and change the suplly in request option that will be available on the duplicate.

Than make it available in the Certificate Authority's templates folder.
0
 

Author Comment

by:jpletcher1
ID: 36589693
Getting closer!  I have the Computer cert duplicated and I set the new template to specify the subject  name.  I added it to our CA.  I go to the server I want to get the certificate for and open MMC, computer certificate area.  Right click, all tasks, request new certificate.  Then when I go to set it up it still looks the same where my options for subject are the typical options and it doesn't give me the ability to specify my own.  I double checked the template and I did select the option to have the subject be specified.

Thanks for your continued support.
0
 

Author Comment

by:jpletcher1
ID: 36589697
Here is a screen shot where I am still stuck.
cert2.JPG
0
 

Author Comment

by:jpletcher1
ID: 36589902
Actually, when I use the new template and select to use  "common name", I can put in the server name and when it makes the cert it leaves the subject as the single name, not the fqdn.  So that's what I need.  Thanks for all your help!
0
 

Author Closing Comment

by:jpletcher1
ID: 36589911
Thanks for the great and clear directions.  Just what I needed.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now