+ Post New Thread
Results 1 to 9 of 9
Enterprise Software Thread, Request SAN Certificate From Internal CA in Technical; Hi, I have a CA Server Running Server 2012. Works good for issuing normal certificates. I am trying to request ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,852
    Thank Post
    877
    Thanked 1,681 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    445

    Request SAN Certificate From Internal CA

    Hi,

    I have a CA Server Running Server 2012. Works good for issuing normal certificates.

    I am trying to request a SAN certifcate for an internal IIS website. I have followed this guide under the section To use the Certificate Enrollment wizard with an enterprise CA.

    I do not get the warning in step 13. But i pressed properties and added the other names as shown in the other steps.

    When the certifate is issued it doesn't include the SANs.

    What am i doing wrong please?

    Thanks

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,852
    Thank Post
    877
    Thanked 1,681 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    445
    Anyone please?

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,852
    Thank Post
    877
    Thanked 1,681 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    445
    I have found this - https://www.icts.uiowa.edu/confluenc...+within+Apache

    I would like to make a certificate with an exportable key. The above link doesnt allow me to do so. But if i generate a usual one in IIS it does.

    Any ideas please?

  4. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    I find it easier to use OpenSSL on a linux box for normal Web SSLs and modify the default conf file with the appropriate SANs.
    I can then submit the CSR to the CA with no issues at all.

    Other than that its a case of duplicating the Certificate template in Certificate Templates to allow additional info such as SANs

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,852
    Thank Post
    877
    Thanked 1,681 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    445
    I used openssl on windows to generate a CSR. I have it a .cer file but i am struggling to use it as the key is not exportable

  6. #6

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    When I use OpenSSL in linux, all I do is copy the CER file (as long as I donwload it in Base64 format) and pate it into a CRT file..

    cat > server.domain.fqdn.crt
    <PASTE-TEXT-HERE>
    <CTRL+C>

    the CRT is then valid.

    the full sequence is:

    openssl genrsa -des3 -out keyfile.key 2048
    openssl req -new -key keyfile.key -out server.domain.fqdn.csr
    cat server.domain.fqdn.csr
    <copy the text>

    open http://cert-ca-server/certsrv
    Follow the options to create a new certificate (request -> advanced) + paste the CSR text into the box and choose a WebServer template that is SAN capable
    Download the CER in Base64 format
    open in notepad++ and copy the text
    in linux type:
    cat > server.domain.fqdn.crt
    <paste the CRT text in>
    <ctrl+c>

    Voila! one CRT file!

  7. #7

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    Also, have you modified the CA template to allow keys to be exportable?

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,852
    Thank Post
    877
    Thanked 1,681 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    445
    Yep it allows be to export a key if i generate the CSR in Windows or IIS.

    Basically i want to make a SAN. Doing what it says in this link, is this the correct thing? - https://www.icts.uiowa.edu/confluenc...+within+Apache

    I have followed the above made a .csr but it into my CA now i have a .cer and a .key. Will this command turn them into a .pfx? - openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

    Thanks
    Last edited by FN-GM; 23rd April 2013 at 10:34 PM.

  9. #9

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    It should have downloaded as a .CER - unless you chose download the full chain as well (2nd Option on the download page for the CA)?

    As for cpnverting PFX - try this site: MarkBrilman.nl Howto convert a PFX to a seperate .key/.crt file
    (not had to do it myself..)

SHARE:
+ Post New Thread

Similar Threads

  1. Certificate request has been altered by CA company to localauthority.sch.uk
    By edutech4schools in forum Internet Related/Filtering/Firewall
    Replies: 22
    Last Post: 24th January 2013, 12:53 PM
  2. SSL Certificates and internal hostnames
    By j17sparky in forum Web Development
    Replies: 9
    Last Post: 21st October 2010, 10:22 AM
  3. Accessing LEA Hosted Mail Server from Internal Network behind ISA 2006
    By MManjra in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 6th May 2010, 11:40 AM
  4. Uninstalling a certificate from IIS 7/Server 2008
    By Dos_Box in forum Windows Server 2008
    Replies: 5
    Last Post: 26th February 2009, 10:09 AM
  5. How to remove a Certificate from CA
    By PRicho in forum Windows
    Replies: 2
    Last Post: 22nd July 2008, 11:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •