none
I have a CSR, how do I get a Server 2102 R2 CA to issue a certificate?

    Question

  • In fact I have two CSRs that I would like to get certificates for: one from a Sonicwall firewall, one from a Lync 2010 Edge server which is not domain joined.

    I have a CA which has been upgraded many times. I'm trying to understand how to access the various templates:

    There is a "Web Server Windows 2000 template version 4.1" but it has only 1024 bit key; this is accessible in the certsrv web interface. I don't want to use it.

    There is a "Web Server 2048 template Windows Server 2008 Enterprise version 100.4", which would seem a better bet but it is not visible in the certsrv interface.

    Do I assume Version 3 is more secure than version 2 than version 1, or do I just use version 1 for all normal uses?


    CarolChi

    Tuesday, July 08, 2014 5:03 PM

Answers

  • I have indeed used the Windows 2008 / 2008 R2 CA wording - sorry. There are even more compatibility settings in Windows 2012 R2 - you can now select both the CA version and the client's version.

    But the bottom line is still that for a Web Server template using the "most compatible" one will be OK. You want a template you can edit and that supports a CSP capable of 2048 RSA keys.

    Picking 2003 as either server or client does not mean the template is "oudated" - it basically says "classical CSP".

    Elke

    Tuesday, July 08, 2014 6:11 PM

All replies

  • Version 3 templates do not show up in the certsrv app by design (see e.g. this article).

    Unless you need specfic cryptographic algorithms you don't need them for web servers. "Normally" version 2 templates for 2048bit RSA keys are used.

    Version 1 means they cannot be edited, so you would copy the old v1 Web Server template to a v2 template and increase the key size in your copied template.

    Elke

    Tuesday, July 08, 2014 5:37 PM
  • So what is a version 2 ? Windows Server 2008 Enterprise or Windows Server 2003 Enterprise? Or is that another thing completely?

    CarolChi

    Tuesday, July 08, 2014 5:57 PM
  • If you select Windows 2003 you will get a v2 from copying a v1 template (and v2 will remain v2 when copying them as "Windows 2003")
    Tuesday, July 08, 2014 5:59 PM
  • clear as mud, I guess you just remember.

    and this is on server 2012 R2 ????

    Not your fault but I though server 2003 was our of support.


    CarolChi

    Tuesday, July 08, 2014 6:00 PM
  • I have indeed used the Windows 2008 / 2008 R2 CA wording - sorry. There are even more compatibility settings in Windows 2012 R2 - you can now select both the CA version and the client's version.

    But the bottom line is still that for a Web Server template using the "most compatible" one will be OK. You want a template you can edit and that supports a CSP capable of 2048 RSA keys.

    Picking 2003 as either server or client does not mean the template is "oudated" - it basically says "classical CSP".

    Elke

    Tuesday, July 08, 2014 6:11 PM
  • Here is an overview of all the options for templates version 1,2,3, and 4:

    Windows Server 2012: Certificate Template Versions and Options

    I have seen issues with SSL (SChannel errors) with CNG providers so I am rather conservative when it comes to web server certificates.

    Tuesday, July 08, 2014 6:15 PM
  • Hi Carol,

    In addition, Microsoft support for Windows Server 2003 and Windows Server 2003 R2 ends on July 14, 2015.

    Windows Server 2003 end of support

    http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/default.aspx#fbid=kDUwUCRSe8f

    If you need further assistance by now, please feel free to let us know.

    Best Regards,

    Amy

    Tuesday, July 15, 2014 3:33 AM
  • OK so just a confusing bit or terminology

    CarolChi

    Tuesday, July 15, 2014 5:49 AM