Solved

Need assistance in completing the cert enrollment.

Posted on 2016-08-11
2
54 Views
Last Modified: 2016-08-24
I am creating a SAN certificate CSR using the option "Certificate Enrollment wizard with a standalone CA" in this link - https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx#BKMK_CertEnroll

When completing the certificate enrollmet, I use the cert from my 3rd party CA and the file will be mycert.CRT.  May someone give me some example of using the CERTREQ.EXE in the link?

In the name, it says "Servername\CAName".  In my case, it is a godaddy.com.  "CertificaeRequest.req" which I assume it is my certificate request file?  But I usually use the extension .txt.  The "CertificateResponse.cer", again, my 3rd party CA they always give me a final cert with a  .zip files which composes of both the .CRT and another intermediate file.7b.  And the "RequestID" - dont know where to get it.

I do not know how to put the above together.  How do I do this in MMC?

Many thanks.
0
Comment
Question by:nav2567
2 Comments
 
LVL 24

Accepted Solution

by:
-MAS earned 500 total points
ID: 41751666
.req you can open in notepad and paste in Godaddy portal.
If you open file received from Godaddy (zip file) you can see .cer an .p7b files.  
You have to install in your IIS8 (in windows 2012 server).
Here is the guide from Godaddy. https://www.godaddy.com/help/iis-8-install-a-certificate-4951
0
 

Author Comment

by:nav2567
ID: 41751903
MAS,

Just want to clarify, so, I can use the below to request a SAN CSR.  Once I have got the zip file from my 3rd party CA, use your want to complete the rest in IIS?  

When I go to the personal store and export the PKF cert, it should contain all the host names of other computers I could use to protect, right?

************************************************************************************
use the Certificate Enrollment wizard with a standalone CA

In the Certificates snap-in, right-click the Personal folder, point to All Tasks, point to Advanced Operations, and then click Create Custom Request.
This will start the Certificate Enrollment wizard.
Click Next.
Click Proceed without enrollment policy, and then click Next.
In the Template list, click either (No template) CNG key or (No template) Legacy key. (No template) CNG key will ensure that the private key will be generated by the new Cryptography Next Generation key storage provider (KSP) and may not be usable by all applications. To ensure interoperability, click (No template) Legacy key, which will use the CAPI2 cryptographic service provider (CSP).
For Request format, click either PKCS #10 or CMC. PKCS #10 is generally accepted by all CAs. If you will not submit the custom request to a Microsoft standalone CA, check with your CA vendor to determine if the CMC format is supported.
Click Next.
Click the Details arrow, and then click Properties. You will need to configure all the certificate request options so that the issued certificate will be suitable for TLS/SSL.
On the Subject tab:
noteNote
Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 8a and 8b.
In the Subject name area under Type, click Common Name.

In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.

In the Alternative name area under Type, click DNS.

In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.

Repeat steps c and d above for each SAN you want to specify.

On the Extensions tab:
Click the Key usage arrow. In the Available options list, click Digital signature, and then click Add. Click Key encipherment, and then click Add.

Click the Extended Key Usage (application policies) arrow. In the Available options list, click Server Authentication and Client Authentication, and then click Add.

On the Private Key tab:
Click the Cryptographic Service Provider arrow, and verify the following:

If you selected CNG key in step 4 above, the RSA, Microsoft Software Key Storage Provider is enabled.

If you select Legacy key in step 4 above, the Microsoft RSA SChannel Cryptographic Provider is enabled.

Click the Key options arrow. In the Key size list, select a key size. If desired, select the Make private key exportable check box. Do not select either the Allow private key to be archived or Strong private key protection check box.

Click the Select Hash Algorithm arrow. In the Hash Algorithm list, select the desired hash algorithm.

Warning:
The specified hash algorithm is used in the request. You must specify a hash algorithm that is compatible with your client computer and CA.
Click the Key permissions arrow. If the application or service runs as Network Service, grant the Network Service account Read permission. If the application or service that will use this certificate runs as Local System, no permissions changes are required.

Click OK.
Click Next.
Enter a path and file name indicating where the request file will be saved.
Select the Base 64 format.
Click Finish.
************************************************************************************
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now