locked
Certificates with Windows Server 2008 Std and Enterprise CA RRS feed

  • Question

  •  

    Hello,

     

    I have a Windows Server 2008 Std. Edition with Enterprise CA installed. I need to request certificates for connecting Essentials to my OpsMgr however I've found out that I cannot make my own certificate templates as I am running Std. Edition of Windows Server.

     

    My question is, is there any of the default templates that can be used or am I required to run a stand-alone CA or upgrade my OS to Enterprise Edition? Upgrading my OS isn't really an option though. Are there any other alternatives?

     

    My preferred usage would be to simply make the Computer Template usable as it complies with OpsMgr -> Essentials requirements.

     

    Thanks in advance!

     

    Sebastian Haraldsson

    sebastian.haraldsson@resursit.se.nospam

     

     

    Thursday, April 3, 2008 10:13 PM

Answers

  • Hi Sebastian,


    The certificate must meet the following requirements, and the default Computer Certificate template from Windows Certificate Services meets these requirements:


    1. Exist in the Personal store for the computer account
    2. Use the following keys: Digital Signature, Key Encipherment (a0)
    3. Use the following enhanced keys: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)
    4. Have a subject name that contains the fully qualified domain name (FQDN) of the server for which the certificate will be installed


    The certificate of the certification authority that issued these certificates must be imported into the Trusted Root Certification Authorities store both on the Operations Manager 2007 Management Server and on the Essentials 2007 Management Servers. If there are any intermediate or issuing certification authorities between the root certification authority and the certificate, their certificates must be imported into the Intermediate Certification Authorities.


    These certificates can be issued by an Internet-based certification authority or by Certificate Services on a computer running Windows Server. For more information about using Certificate Services, see Certificate Services (http://go.microsoft.com/fwlink/?LinkId=70929).


    For the System Center Essentials 2007 Management Server, export the personal certificate as a PFX file with the private key and the trusted root certificate as a .CER file to be used when you run the Configure Service Provider Mode tool. For more information about this tool, see How to Configure System Center Essentials to Support the Managed Services Provider (http://go.microsoft.com/fwlink/?LinkId=94453).


    For more information about other Operations Manager 2007 security topics, see the Operations Manager 2007 Security Guide (http://go.microsoft.com/fwlink/?LinkId=64017).

     

    Thanks.

    Monday, April 7, 2008 11:32 AM

All replies

  • Hi Sebastian,


    The certificate must meet the following requirements, and the default Computer Certificate template from Windows Certificate Services meets these requirements:


    1. Exist in the Personal store for the computer account
    2. Use the following keys: Digital Signature, Key Encipherment (a0)
    3. Use the following enhanced keys: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)
    4. Have a subject name that contains the fully qualified domain name (FQDN) of the server for which the certificate will be installed


    The certificate of the certification authority that issued these certificates must be imported into the Trusted Root Certification Authorities store both on the Operations Manager 2007 Management Server and on the Essentials 2007 Management Servers. If there are any intermediate or issuing certification authorities between the root certification authority and the certificate, their certificates must be imported into the Intermediate Certification Authorities.


    These certificates can be issued by an Internet-based certification authority or by Certificate Services on a computer running Windows Server. For more information about using Certificate Services, see Certificate Services (http://go.microsoft.com/fwlink/?LinkId=70929).


    For the System Center Essentials 2007 Management Server, export the personal certificate as a PFX file with the private key and the trusted root certificate as a .CER file to be used when you run the Configure Service Provider Mode tool. For more information about this tool, see How to Configure System Center Essentials to Support the Managed Services Provider (http://go.microsoft.com/fwlink/?LinkId=94453).


    For more information about other Operations Manager 2007 security topics, see the Operations Manager 2007 Security Guide (http://go.microsoft.com/fwlink/?LinkId=64017).

     

    Thanks.

    Monday, April 7, 2008 11:32 AM
  • Hello Sebastian;

     

    I had the same problem and I had to upgrade my server version to Server 2003 Enterprise.  The issue is that when you copy a template such as the computer template you can't publish it.  Once we upgraded our certificate server, we copied the computer template, and changed it to make the certificate exportable and to provide the hostname in the request rather than from DNS.  This was done because our client's SCE server has no access to our domain and is not in our DNS.

    I then followed the following article http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

    to create an offline certificate request on my client's SCE server, import the request in our CA and issue the certificate.  It was then imported into the SCE server and exported to a PFX so you can select it when you run the Service Provider Configuration Tool.

     

    The article refers to using an inf file to provide the type of certificate required.  The following is what I used in my inf file:

     

    [NewRequest]
    Subject = "CN=sceserver.company.com"
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = FALSE
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
     
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1
    OID=1.3.6.1.5.5.7.3.2

    Hope that helps.

     

    Regards  Franco
    • Proposed as answer by Arricc Thursday, March 18, 2010 1:21 PM
    Thursday, April 24, 2008 4:36 AM
  • Hello Franco,

    We didn't have the option to upgrade our server to Enterprise and obviously this is why our Enterprise CA couldn't issue the certificates we required (as you can't create or edit certificate templates if you are not running an Enterprise server yourself). We simply replaced it with a Standalone CA which worked immediatley so I guess we did everything right but still had it wrong Smile.

    Thanks for your input though, I'm sure we'll find it most helpful when/if we choose to go with an Enterprise CA.

    /Sebastian
    Thursday, April 24, 2008 6:31 AM