none
Windows 2016 Certification Authority RRS feed

  • Question

  • Hello, 
    the environment I have is like the following:
    1- SVR1 (windows server 2016): is the domain controller & DNS server.
    2- SVR2 (windows server 2016): has the Certification Authority installed (integrated into AD) & other services.
    2- SVR3 (Ubuntu 7.5): is a domain member, Freeradius Server, other Services.  

    In order to authenticate users securely (especially through WLAN), Radius needs his own privateKey.pem, certificate.pem (signed certificate), certRequest.pem(to renew the same Certificate when it is expired) in addition to the cacert.pem[CA Certificate]. The last one I already have it. 
    How can I manually get the required files(certificate) from SVR2? 
    I have tried to create a request & private key in Linux(OpenSSL), then send them to SVR2 for signing in the CA. However, I got unclear error messages.  
    I have also tried to create the certificate in SVR2 using the mmc>snap-in>certificate> and add a certificate for another computer.. but I had path error.
    Note that SVR3 might need more than one different Certificate for different services. 
    So, any ideas about the correct solution.
    thank you in advance. 
    Wednesday, January 30, 2019 5:55 PM

Answers


  • Hello everybody, 
    I just wanted to say that I could solve the problem. With the help of Windows Docs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn296456(v=ws.11)
    One should pay attention to the request info file, which might require some changes. 
    Have a nice day
    • Marked as answer by TheGodFatherDD Wednesday, February 6, 2019 8:25 AM
    Wednesday, February 6, 2019 8:25 AM

All replies

  • Hello,

    This is a note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Thank you for your understanding and support.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 31, 2019 6:13 AM
    Moderator
  • Use OpenSSL 

    Create a request file and enter the name, key size and whatever else is required by the CA for a request.

    SSL Shopper is a good source to help explain how to do this.

    The private key stays where you create it.

    When you get the cert back from the CA, it'll be ready to use. 

    Be sure to have all chaining certs available - Looks like only one in your case.

    HTH,


     

    Regards,

      Bill

    Bill Stites - PKI Consultant

    PKI Solutions, Inc.

    Sunday, February 3, 2019 10:38 PM
  • Hi, 

    the problem I face is about the windows AD CS. I couldn't sign Certificates manually. 

    eg. when I execute the following command:

    C:\Windows\system32>certreq -submit -attrib „iTemplate:Radius" <C:\LinuxTrialReq.req>

    * iTemplate is a copy of "RAS and IAS Server"

    then i got the following error message:

    Active Directory Enrollment Policy

      {36784C4B-A233-4B74-A4D8-DB7B535AD2BE}

      ldap:

    RequestId: 32

    RequestId: "32"

    Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

     The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE)

    Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE)

    Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

    thank you for the hint. however it did not help. 

    Tuesday, February 5, 2019 11:01 AM

  • Hello everybody, 
    I just wanted to say that I could solve the problem. With the help of Windows Docs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn296456(v=ws.11)
    One should pay attention to the request info file, which might require some changes. 
    Have a nice day
    • Marked as answer by TheGodFatherDD Wednesday, February 6, 2019 8:25 AM
    Wednesday, February 6, 2019 8:25 AM