none
SAN Certificates from internal CA RRS feed

  • Question

  • Hi all,

    Just a question really. If i on a IIS10 go and create a domain certificate it will then go and get that from my internal CA and then i bind that certificate to the website. but when i go to open the website i get "NET::ERR_CERT_COMMON_NAME_INVALID"

    Now in my case specifically i traced it down do Subject Alternate Name is not in that default web template certificate and the solution for me was to create the certificate slightly differently as outlined in https://mycontraption.com/creating-an-ssl-certificate-with-subject-alternative-name-san-fields-for-iis/

    Now my question is, is it possible to duplicate the default web template certificate on the internal CA and add SAN as an attribute?

    Regards

    Ronnie

    Thursday, May 24, 2018 10:23 AM

Answers

  • Hi Ronnie,

    The MMC only allows enrollment on the template for computer type certificates if the computer account has enroll permissions for the reason @Mylo pointed out. You can do it the way you found (give the computer enroll permissions), or you can use a different method like Certreq.exe.

    Incidentally, you do not neet autoenroll permissions in this case. That you need if you want to automatically enroll certificates to a set of computers/users using group policy.

    Kind Regards,

    Friday, May 25, 2018 1:48 PM

All replies

  • You always should put SAN entries as a part of signed request. Unfortunately, IIS does not support SAN extension, therefore you should use MMC snap-in to create request and provide SAN information.

    The blog post you referenced contains correct steps with the exception: select Request New Certificate context menu, go through certificate enrollment wizard and select Web Server template. Expand template, press Properties and fill subject and SAN values. When done, press Enroll to request the certificate.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Thursday, May 24, 2018 11:42 AM
  • Hi Vadims,

    Doing what you say i only see a "Computer Certificate", Can you help me get Web Server working? or the "Published Web Server"

    On my Internal CA i have only installed the CA role and the Web Enrolment role feature. Not sure if that needs changing.

    Regards

    Ronnie

    Thursday, May 24, 2018 2:41 PM
  • Small update. on the certificate template under the security properties I added the webserver in and gave it read, enroll and autoenroll and then it works.

    If i grant my own personal administrative account the same rights I am not able to do it. Should it be this way? that a computer account needs access on the web server template?

    Thursday, May 24, 2018 3:10 PM
  • From the Certificate Local Computer snap-in, it's the computer that submits the enrollment request.

    http://blog.auth360.net

    Thursday, May 24, 2018 9:43 PM
  • Hi Ronnie,

    The MMC only allows enrollment on the template for computer type certificates if the computer account has enroll permissions for the reason @Mylo pointed out. You can do it the way you found (give the computer enroll permissions), or you can use a different method like Certreq.exe.

    Incidentally, you do not neet autoenroll permissions in this case. That you need if you want to automatically enroll certificates to a set of computers/users using group policy.

    Kind Regards,

    Friday, May 25, 2018 1:48 PM