none
Create certificate using Microsoft CA (certification authority) RRS feed

  • Question

  • Hello,

    we are in use of an Microsoft Certification Authority 2008 Server with a root certificate.

    We also use the citrix webinterface with Microsoft load balancing Manager.

    Now we want to use https connections and we created a https certificate on our CA for the citrix webinterfaces.The problem is that now the certificate is expired.

    When I try to renew it i get this error: " the certificate request was submitted to the online authority, but was not issued. the request was denied."

    So I created a new domain certificate using our CA and changed the binding on IIS to use the new cert. Now Citrix receiver works and on Internet explorer it seems to be valid.

    On Chrome and Firefox I still get an error that the page is not valid due to stronger security settings:

    on chrome: "the identity of this website has been verified but does not have public audit records"

    You know how I can get it valid also for the other browsers?

    Tried to export the certificate and submit a new request on the CA. Indicating the certificate I get this error:

    The data is invalid. 0x8007000d (Win32: 13)

    Thank you

    Monday, June 1, 2015 10:02 AM

Answers

  • ok guys solved out the problem now.

    Firefox and Chrome alredy want the SHA256 alorithm, so what are the steps to do on your Microsoft CA if you have the same problem:

    At first duplicate the Web Server template and define SHA256.

    Then Issue the new template to your CA.

    Guide: http://virtualstation.azurewebsites.net/?p=601

    now often there is the problem that you stil get a SHA1 cert. So you have to change the algorithm of your CA:

    in cmd do: certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    restart CA service

    after that you can import the requested certificate with the above command:

    certreq -submit -attrib "CertificateTemplate:WebServer" <Cert Request.req>

    export the certificate and import on the IIS Server, change the binding and you are done.


    Monday, June 1, 2015 2:12 PM

All replies

  • Was able now to import the certificate on the CA using the cmd command:

    certreq -submit -attrib "CertificateTemplate:WebServer" <Cert Request.req>

    but in chrome and firefox still the security error...

    Monday, June 1, 2015 12:33 PM
  • ok guys solved out the problem now.

    Firefox and Chrome alredy want the SHA256 alorithm, so what are the steps to do on your Microsoft CA if you have the same problem:

    At first duplicate the Web Server template and define SHA256.

    Then Issue the new template to your CA.

    Guide: http://virtualstation.azurewebsites.net/?p=601

    now often there is the problem that you stil get a SHA1 cert. So you have to change the algorithm of your CA:

    in cmd do: certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    restart CA service

    after that you can import the requested certificate with the above command:

    certreq -submit -attrib "CertificateTemplate:WebServer" <Cert Request.req>

    export the certificate and import on the IIS Server, change the binding and you are done.


    Monday, June 1, 2015 2:12 PM
  • Glad to hear this and thanks for sharing the solution with us.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 2, 2015 8:39 AM
    Moderator