We help IT Professionals succeed at work.

SSL Certificate Name Mismatch windows Server 2012 R2 Internal CA

We have recently set up an internal CA for the purpose of internal SSL certificates (and eventually other things like Direct Access but thats for a later date...). Being new to the Certificate game this wasn't the quickest process in the world for me.

Through group policy all of the domain computers now happily recognise the CA as a root certificate authority. The machines that I have given permission to the certificate template can also request SSL certificates through the certificate manager quite happily.

However the certificate that is issued is issued with the FQDN (webserver.domain.com), which means that when clients connect to https://webserver they get a certificate mismatch and have to connect to https://webserver.domain.com.

I am sure I may need to provide more information. But how would I go about issuing these SSL certificates from my internal CA to the computer name rather than FQDN?

Thanks
Comment
Watch Question

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
If you put the http://webserver url in the local intranet sites does this error go away? Also can you add a DNS entry under your domain.com internal zone to webserver.domain.com so that it resolves the FQDN of the machine?

If this is only happening 2 a few users what I would do is also check the network adapter settings as well do ensure that append parent DNS suffix to flat Netbios names.

Will.
Architect
Distinguished Expert 2019
Commented:
if certificate is issued with www.webserver.com and user is accessing it with simply webserver, but obvious name mismatch will occur

To avoid this, request certificate with subject name as "webserver" and alternate name as "www.webserver.com" so that both names will work without any errors

If you have configured certificate enrollment thru GPO, it won't give you cert with "webserver" as subject name

U need to manually request cert from custom MMC console on server
http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx

Author

Commented:
Thank you, glad to know this can't be achieved using the enrollment method I am using. I will have to read through the article and get more to grips with issuing SSL certificates.

Do you know if there is anything on the MVA with regards to this? I have done the windows Server 2012 R2 admin courses but it didn't touch on this enough.