Quick Dirty Trick – Enroll a web server certificate from an Enterprise CA(installed on Windows Server 2008 SP2) using the mmc on a Windows Server 2008 SP2 or Windows 7 RC domain member machine

I wanted to be able to quickly obtain web server certificates(exportable along with their corresponding private keys) for internal use from an Enterprise CA(installed on Windows Server 2008 EE SP2) from a domain machine(Windows Server 2008 SP2 or Windows 7 RC).
Being in lazy mode, I’ve decided to use the mmc and enroll web server certificates just the way we enroll Computer certificates for domain member machines, except the fact that I will supply the needed CN for the Web Server template.

But, by default we cannot do that. Well, it takes just a few seconds to make that possible, get the needed certificate(s) and then put it back just the way it was(so no one will know, –:) ).

 

In the next lines I will exemplify this “trick” (for convenience, bellow the CA was installed on the DC).

 

On the CA machine, click Start, head over to Administrative Tools and click Certification Authority:

start_ca

 

On the opened CA mmc, expand the CA name node, right-click the Certificate Template and click Manage:

cert_tmpl_man

 

Within the Certificate Templates Console locate the Web Server template, right-click it and click Properties:

web_srv_tmpl_prop_1

 

On the Web Server Properties window of this template, head over to the Security tab and click the Add… button:

web_srv_tmpl_prop_2

 

Now, we have a couple of possibilities, either we add the Domain Computers object(not recommended) or only add the domain computer from which we will make our request(recommended) –note that if we add the Domain Computers object we may introduce a temporary security risk(until we “revert” the Web Server certificate template to its original state), as the enterprise CA(by default) or this certificate template are not configured to require approval for the certificate enrollment and we can control the CN name within our requests(this certificate template is configured to have the subject name supplied in request)-:

web_srv_tmpl_prop_3

 

 

Say we add only the needed domain computer object(recommended), click Object Types and select only Computers:

web_srv_tmpl_prop_7

I’m going to type a part of the needed computer name and click the Check Names button and then select the domain computer object I want, in this case LAB1TMGB3:

web_srv_tmpl_prop_8

web_srv_tmpl_prop_9

Click the OK button.

Now on the Web Server Properties window of this template, select the added computer object and select for the Enroll permission the checkbox under Allow and click the Apply button:

web_srv_tmpl_prop_10

 

 

Or say we add the Domain Computers object(not recommended), I’m going to type domain and click the Check Names button and then select the Domain Computers object:

web_srv_tmpl_prop_4

web_srv_tmpl_prop_5

Click the OK button.

Now on the Web Server Properties window of this template, select the added Domain Computers and select for the Enroll permission the checkbox under Allow and click the Apply button:

web_srv_tmpl_prop_6

 

 

And we’re done for the moment with the CA(you can close the Certificate Template Console window if you want).

 

 

Head over to the domain computer from which you will request the certificate(just in case you try-if you have a reason for that-, it will not work from the DC if you’ve selected the Domain Computers object, but it will work if you’ve selected the DC computer object instead).

 

For convenience, I will picture the certificate enroll process side by side from a Windows Server 2008 SP2 machine and a Windows 7 RC machine(both domain members).

 

Click Start, run, type mmc and hit enter.
On the opened console window, click the File menu, select the Add/Remove Snap-in, add the Certificates snap-in, Computer account and Local Computer and click Finish.

Expand the Certificates(Local Computer) node, expand Personal, right-click Certificates and point to All Tasks and click Request New Certificate:

req_cert_qeb_mmc_1_1
req_cert_qeb_mmc_2_1

 

The Certificate Enrollment wizard appears, click Next:

req_cert_qeb_mmc_1_2
req_cert_qeb_mmc_2_2

 

If you are on Windows 7 RC, click Next on the bellow screen:

req_cert_qeb_mmc_2_3

 

And as we can see, the Web Server template is available for request from the mmc, select it and click the blue More information is required to enroll for this certificate. Click here to configure settings link, as we need to supply info like the CN.

req_cert_qeb_mmc_1_3
req_cert_qeb_mmc_2_4

 

Time to provide the needed info.
I will add a CN.
On the Subject tab, Subject name: area, from the Type drop-down list select Common name, type the desired CN and click the Add > button to add this CN to the certificate request:

req_cert_qeb_mmc_1_4
req_cert_qeb_mmc_1_5
req_cert_qeb_mmc_1_6

req_cert_qeb_mmc_2_5
req_cert_qeb_mmc_2_6
req_cert_qeb_mmc_2_7

 

On the General tab, you may like to type a Friendly name for this certificate to be able to quickly indentify it:

req_cert_qeb_mmc_1_7
req_cert_qeb_mmc_2_8

 

If you want to make the private key exportable(although apparently the configured template does not allow us to do that), on the Private Key tab expand the Key options, and select the Make private key exportable(as you will see if we do that we will be able to export the cert along with its private key):

req_cert_qeb_mmc_1_8
req_cert_qeb_mmc_2_9

 

Click Apply and OK to close the Certificate Properties window.

 

And hit the Enroll button:

req_cert_qeb_mmc_1_9
req_cert_qeb_mmc_2_10

 

And we will successfully obtain our web server certificate(click Finish to close this window):

req_cert_qeb_mmc_1_10
req_cert_qeb_mmc_2_11

 

 

Let’s take a quick look at the obtained certificate:

view_cert_1_1
view_cert_1_2
view_cert_1_3

view_cert_2_1
view_cert_2_2
view_cert_2_3

 

 

If you’ve selected on the certificate request the option to allow the private key to be exported, you will be able to export the cert along with its corresponding private key(I’ve did so and imported the cert on an IIS 7 web server):

exp_cert_1_1
exp_cert_1_2

exp_cert_2_1
exp_cert_2_2

 

 

And finally it’s time to put back the way it was the Web Server certificate template:
- On the CA machine, click Start, head over to Administrative Tools and click Certification Authority.
- On the opened CA mmc, expand the CA name node, right-click the Certificate Template and click Manage.
- Within the Certificate Templates Console locate the Web Server template, right-click it and click Properties.
- On the Web Server Properties window of this template, head over to the Security tab and select the computer object you’ve added:

- if you’ve added only the needed computer object(recommended), remove it(click the Remove button):
ca_tmpl_remove1_1

- if you’ve added the Domain Computers object, remove it(click the Remove button):
ca_tmpl_remove1_2

 

And then click Apply and OK to close the Web Server Properties window:

ca_tmpl_remove1_3

Comments (6) -

  • I've got a blog article coming soon that simplfies this process somewhat, and isn't quite so naughty Smile
    • I look forward to read it. -Smile

      Well, basically I was in need ASAP of 5 different web server certficicates for internal use, and it worked quite fast for me like so.

      Thanks,
      Adrian
      • Well, simplify is maybe not quite the right word, maybe more generic would be a better description. Using the MMC is fine for the Web Server template, but not always ideal for other template types...I've got so many blog ideas in my head, but so little practical time to write them up Frown
        • Yeah, I know how it is.
          Also, for me, writing isn't the same fun as testing, playing with protocols, configuring, etc.

          They should invent one writing machine that automatically puts the ideas on paper, and possibly to have an option to put them in blog entries. -Smile

          Cheers!
          Adrian
  • I am that writing machine. Unfortunately, my job has me writing about vPro, Nehalem, High-K (high dialectric) Hafnium gates/circuitry, VT-x, VT-d, VT-i, Serial over LAN, IDE Redirect, Turbo Boost, core parking, and lots of other fun Intel things Smile  Maybe if we could get more hours in the day things would be easier Smile
    • Haf-hafnamiumnum what ? (tongue effort) -Smile

      Cheers!
      Adrian
Comments are closed