locked
關於在CA上申請伺服器憑證的問題 RRS feed

  • 問題

  • 各位好~

    我在自架網域系統及憑證伺服器的操作上遇到了一些問題,請各位先進給予我指點。

    我的主要目的是要在網域中的某部伺服器上架設一個有 SSL 的 AD LDS。

    目前架設的情況是:

    伺服器共有2台

    一台是網域DC,加裝了「AD憑證服務(含WEB申請)」,採「企業根CA」方式。

    另一台是加入網域的Server 2008 R2,安裝了「AD LDS」,並準備替這台伺服器向DC申請「伺服器憑證」來完成SSL的設定。

    但是,我連入DC的憑證申請網站卻找不到「伺服器驗證憑證」的申請選項,我試過如果架成「獨立根」就會有,對於這方面我是初涉略,已在Google上查詢好多天卻找不到怎麼申請,因此想拜託各位大師給予指點。

    謝謝您

    2011年7月20日 下午 03:15

解答

  • 步驟如下可以再試試看

     

    1.In Internet Explorer, connect to http:// /certsrv.

     

    2. Click Request a Certificate.

     

    3. Click Advanced certificate request.

     

    4. Click Create and submit a request to this CA.

     

    5. In the Certificate Template list, click Web Server.

    Note The CA must be configured to issue Web Server certificates. You may have to add the Web Server template to the Certificate Templates folder in the Certification Authority snap-in if the CA is not already configured to issue Web Server certificates.

     

    6. Provide identifying information as required.

     

    7. In the Name box, type the fully qualified domain name of the domain controller.

     

    8. Under Key Options, set the following options:

    。Create a new key set

    。CSP: Microsoft RSA SChannel Cryptographic Provider

    。Key Usage: Exchange

    。Key Size: 1024 - 16384

    。Automatic key container name

    。Store certificate in the local computer certificate store

    9. Under Advanced Options, set the request format to CMC.

     

    10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

     

    san:dns= dns.name [&dns= dns.name ]

     

    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes.

    The resulting attribute string appears as follows:

     

    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

    11. Click Submit.

     

    12. If you see the Certificate Issued Web page, click Install this Certificate.

    2011年7月22日 上午 05:39

所有回覆

  • 看一下這一個網頁

    2003的內容應該可以繼續沿用

    不過發CA憑證的機器不要使用2008 R2 標準版會有嚴重問題產生

    建議架設時要使用企業版才會不產生不必要的問題 不然踩到雷會哭哭

    2011年7月21日 上午 07:35
  • 嗯,謝謝您的提醒及指導~

    那個網站上教導的是「獨立根CA」這個我架設及申請都沒問題,

    現在遇到的問題是「企業根CA」,架設好後找不到可以申請「伺服器憑證」的選項,整個選項都和獨立根CA不同

    就是這點困擾我很久了

    謝謝

    2011年7月22日 上午 02:09
  • 步驟如下可以再試試看

     

    1.In Internet Explorer, connect to http:// /certsrv.

     

    2. Click Request a Certificate.

     

    3. Click Advanced certificate request.

     

    4. Click Create and submit a request to this CA.

     

    5. In the Certificate Template list, click Web Server.

    Note The CA must be configured to issue Web Server certificates. You may have to add the Web Server template to the Certificate Templates folder in the Certification Authority snap-in if the CA is not already configured to issue Web Server certificates.

     

    6. Provide identifying information as required.

     

    7. In the Name box, type the fully qualified domain name of the domain controller.

     

    8. Under Key Options, set the following options:

    。Create a new key set

    。CSP: Microsoft RSA SChannel Cryptographic Provider

    。Key Usage: Exchange

    。Key Size: 1024 - 16384

    。Automatic key container name

    。Store certificate in the local computer certificate store

    9. Under Advanced Options, set the request format to CMC.

     

    10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

     

    san:dns= dns.name [&dns= dns.name ]

     

    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes.

    The resulting attribute string appears as follows:

     

    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

    11. Click Submit.

     

    12. If you see the Certificate Issued Web page, click Install this Certificate.

    2011年7月22日 上午 05:39