computer certificate with common name

XTADMIN used Ask the Experts™
I need to require SSL communication with the remote desktop service on my servers which are everything from Windows 2000-2008 R2.  I have a Windows 2008 SP2 server setup as my issuing CA.  The CA is working fine but the computer certificate it is issuing to my servers are using the FQDN.  That means I get a name mismatch message when I connect to the servers via rdc after I have set the server rdc settings to use SSL.  I can connect fine using the FQDN but that is not common practice.  I want to be able to connect without a warning message using the common name of the server.  I have duplicated the computer certificate template and modified it to use the common name but I get this message "Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services " when I try to request a certificate using the duplicate template.  I am guessing that is because I'm on server 2008 SP2 standard, not enterprise or R2.  Can this be resolved given my current setup?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011

I can connect fine using the FQDN but that is not common practice

Neither is using Certificates for this in the first place, if you want to do things by common practice then you have already given that up when you went with certificates & SSL to begin with.   Also because of the invention of DNS based Active Directory with Windows 2000 when NT4 was phased out, it can be argued that using the FQDN is the normal practice and wanting to use only the netbios name of the machine is for people who can't let go of NT4.

In any case, I would expect to have to use the FQDN anytime a Certificate is used for any purpose,...that is the common knowledge and the common practice.  Using the FQDN is the proper and expected thing to use,...and the Certificate expects you to use the same name with the same spelling as it is written into the Certificate.

In direct answer to your specific question I do not know any way to circumvent it as you are asking.  Using  DNS Suffixes will cause the correct Domain Name to be assumed correctly,..but I don't think that will matter to the Certificate because that is not what the Certificate is looking at, is looking at the spelling of what you literally typed in as the target machine name.
Software and Hardware Engineer
I would suggest the easiest solution is re-issuing the computer certificates as SAN certificates, and include each possible name for the computer (including internal and NATted IPs, if applicable)

You can generate such a signing request with xca ( ) and either also issue using that tool or submit it to your ca for signing.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial