MS CA and Subject Alternate Names

[Michael Leone]

OK, I can't seem to figure out where in the template to tell the CA to embed a SAN. When you use IIS and just request a certificate using IIS Admin, there's no entry to enter a SAN. Hence the issued cert has no SAN, and hence every decent modern browser complains.

So how do you automate this, with MS CA? When I used a Linux CA, it was easy, I just typed all the SANs I wanted into a file, and added it as extensions to the issued cert (hence they didn't need to be in the request itself)

So how do I do this in MS CA? I need to get an IIS cert for the web server that will host my Certificate Enrollment, and I don't want to issue one without a SAN, if I can help it.

I don't see anywhere in the certificate template for such an option, nor do I see a way to type it in (since I am signing an incoming text file, not filling out a web enrollment form).

I realize it's probably a dumb question, but have pity on my poor old tired brain .... 

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Michael Leone]

AH HA! So you have to make a custom request. Not use "IIS Admin".

https://www.namecheap.com/support/knowledgebase/article.aspx/9854/14/how-to-generate-a-csr-code-on-a-windowsbased-server-without-iis-manager 

That works, and I now have SANs in my cert.

w00t!

(quite honestly, it's not that different from the way I used to do it on Linux, as there's a lot typing, and files to be copied to a CA, then signed, then copied back to the requestor. Haven't seen anything that is easier, since I made the subCA. But that's probably because I just don't know how yet)

So I will need to make custom requests for any Windows based cert I want. Hope the others I need (such as for a load balancer, and a wireless controller, etc) can make SAN requests ...

 

[Dennis Pinckard]

Custom requests (and IIS manager) are designed to be used to request 3rd party certs.

Configure your (custom) CA enrollment security groups and set the security on your templates.

Configure your templates to set the defaults and required info for each template.

Then use the Certificates mmc to enroll the certs using the CA templates. 

Even better, use GPO to autoenroll many of the certificates for users and computers.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjGzLEoc47O59WbuiNCRzP0air2z-v3Eh0%2BhKCi-6X1qw%40mail.gmail.com.

[Michael Leone]

On Tue, Mar 3, 2020 at 10:14 AM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

Custom requests (and IIS manager) are designed to be used to request 3rd party certs.

Configure your (custom) CA enrollment security groups and set the security on your templates.

Haven't done that yet, and I needed a cert today. Haven't had time to research this, and also, the enrollment seems all b0rked up (see other email).

 

Configure your templates to set the defaults and required info for each template.

I've asked before, I don't see where in the templates there is a default to enter SANs. That's why I did it this way.

 

Then use the Certificates mmc to enroll the certs using the CA templates. 

I see no templates, when I use the Certificate MMC.

 

Even better, use GPO to autoenroll many of the certificates for users and computers.

That would be nice, but I seem to be light years away from that ...

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/a4be5550-a507-60c9-8d67-d8be06a76f45%40doomsdaypig.com.

[Dennis Pinckard]

This is going to be mostly off the top of my head, so there might be some errors.  Also keep in mind your environment may need different settings that what I chose:

1. Create an AD group, such as "CA-WebServers" and add the computer objects of all of your web servers
2. In the "Certificate Templates" mmc, duplicate the "Web Server" template and name it according to your naming standard.
1. I use a company abbreviation prefix to identify all of our templates
3. On the "General" tab, I like to check "Publish to Active Directory" and "Do not automatically reenroll".  This will add the cert to the AD object.
4. On "Request Handling" I check "Allow private key to be exported".  I prefer to control this later in the lifecycle for Web certs.
5. On "Cryptography", set the "Minimum Key Size" to 2048 or higher.
6. On "Subject Name", I want to be able to specify SANs, so I select "Supply in the request".
7. On "Security", I add my AD group, "CA-WebServers" and allow "Enroll".  This will allow you to use the Certificates mmc to automate the cert.
8. Publish the Cert template to your CA.

Now go to your web server and use the Certificates MMC for the local machine to request a new cert using AD Enrollment Policy.  Since the computer account now has permission to enroll a certificate, you should see that template as available. The list of available templates will be a combination of what is available to the user and the computer accounts.

1. Log into the web server with local admin permissions
2. Start mmc.exe and load the "Certificates" addin for the local computer
3. Navigate to "Personal" and right-click.  Choose "All Tasks" then "Request New Certificate"
4. Click Next on "Before You Begin"
5. Ensure "Active Directory Enrollment Policy" is selected and click "Next"
6. If the computer's group membership has been updated, you should see your customized Web Server template.  Check it and expand "Details" on the right.
7. Click the "Properties" button to customize the request
8. On "Subject", fill out the "Subject Name"
1. I enter a "Common Name" with the FQDN being used by the website, not necessarily the computer name.
2. In "Alternative Name" add a "DNS" entry that also has the FQDN
3. Add "DNS" entries for any alternative names.  You might want to consider short names and/or IP addresses.
9. On "General", I prefer to add a "Friendly Name" that includes the date.
10. On "Private Key", I verify that the "Key Size" is 2048 and "Make private key exportable" is checked.
11. Click "OK"
12. Click "Enroll".  There may be a screen or two after this, read them and click through.
13. You should now have a certificate signed by the CA and installed on the computer.
14. In IIS manager, select that certificate for use by the website.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjcOXLXKn%2Bd%3DfDVgC%3DeO14OBALJCSU8xxxX9SAewME%3DHw%40mail.gmail.com.

[Michael Leone]

Thanks, I will try this tomorrow, and get back to you.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/23152859-7433-7b63-26dd-cc246033ad57%40doomsdaypig.com.

[Michael Leone]

On Tue, Mar 3, 2020 at 11:31 AM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

This is going to be mostly off the top of my head, so there might be some errors.  Also keep in mind your environment may need different settings that what I chose:

1. Create an AD group, such as "CA-WebServers" and add the computer objects of all of your web servers
2. In the "Certificate Templates" mmc, duplicate the "Web Server" template and name it according to your naming standard.
1. I use a company abbreviation prefix to identify all of our templates
3. On the "General" tab, I like to check "Publish to Active Directory" and "Do not automatically reenroll".  This will add the cert to the AD object.

AH HA. I had not done this part ... 

1. Click "Enroll".  There may be a screen or two after this, read them and click through.
   

1. You should now have a certificate signed by the CA and installed on the computer.

Yet I don't. Oh, I did all of the above steps, and I saw all the responses as you indicated. It looked for all the world like it worked. I got a success notification.

Yet I don't see a cert in IIS Admin (in Server Certificates). 

In the MMC, I see a request, under "Certificate Enrollment Requests/Certificates". But I don't see the actual cert anywhere ... I'll try rebooting it ...

[Michael Leone]

On Tue, Mar 3, 2020 at 11:31 AM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

1. Click "Enroll".  There may be a screen or two after this, read them and click through.
   

Did that. Says "Enrollment pending". Do I need to go back to the subCA and process pending requests?

Yep, Looks like that's in. 

In Cert Auth on the subCA, I see the request in "Pending Requests". Looks like I need to manually issue, it's not happening automatically ...

 So what config do I have wrong? I thought this should automatically issue the cert, and put it on the requestor. But I'm having to manually issue it, and copy to the requestor, and install it.

[Dennis Pinckard]

It is possible that you may want to grant "Autoenrollment" for the Web Server AD group on your certificate template.

I believe Enroll will allow you to request that certificate type, while autoenroll will automatically approve it.  I tend to not use autoenrollment on very many templates because I use GPO's to enable autoenrollment and I don't want those certs on all servers or I need to customize the cert.

Since the Web Server template requires additional information, I don't believe the server would autoenroll based on the GPO, but just to be sure. . .

Bear in mind that the Certificate Manager mmc just manages the various certificate stores.  You will still need to assign the certificate in IIS, but it should now be visible as an available option.

Back in the dark ages, IIS manager would show just the subject name of a certificate, so if you had several re-issued certs, you would not be able to tell one from the other as they all had the same subject name.  Then I discovered that if the "Friendly Name" were added to the certificate, IIS would display that in place of the subject.  That's why I like to always add a friendly name with a date.  I think more modern IIS mangers provide additional details when selecting certs, but old habits die hard.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgUyWgxQeajXMPPUzo8juNoNZ%2BBByn56%3DSg8yXo9%3Db_Bw%40mail.gmail.com.

[Michael Leone]

On Wed, Mar 4, 2020 at 2:23 PM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

It is possible that you may want to grant "Autoenrollment" for the Web Server AD group on your certificate template.

I believe Enroll will allow you to request that certificate type, while autoenroll will automatically approve it.  I tend to not use autoenrollment on very many templates because I use GPO's to enable autoenrollment and I don't want those certs on all servers or I need to customize the cert.

After further discussions with my department mates, we agree, and so I didn't enable autoenroll (not for webservers; I think I might for user certificates ...)

 

Since the Web Server template requires additional information, I don't believe the server would autoenroll based on the GPO, but just to be sure. . .

Bear in mind that the Certificate Manager mmc just manages the various certificate stores.  You will still need to assign the certificate in IIS, but it should now be visible as an available option.

Yeah, I had to manually issue the cert, export and copy it over. And then tell IIS to complete the certificate request by pointing it at the exported file, then create new https: bindings pointing at that cert.

Dunno how yours automatically showed up in IIS? On mine, IIS had no clue a cert was issued, until I copied it over manually.

[Dennis Pinckard]

It has been a while, but I seem to remember there was an option like "complete certificate request" that would go and pick up the approved cert and install it in the Personal certificate store.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgGoTjhhx8XK0ux8s0wsEf4d-Si3iNakGdTz-LhoCrV3A%40mail.gmail.com.

[Michael Leone]

On Wed, Mar 4, 2020 at 4:57 PM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

It has been a while, but I seem to remember there was an option like "complete certificate request" that would go and pick up the approved cert and install it in the Personal certificate store.

Don't recall seeing that, but I'll look again tomorrow.

[Orlebeck, Geoffrey]

As long as the machine/user has permissions, you can retrieve the certificate form the Sub CA via command line using certreq:

 

certreq –retrieve <Request ID> <Output Path>

Example: certreq –retrieve 21 C:\CertName.cer

 

If you want to import the certificate

certreq –accept <Cert Path>

Example: certreq –accept C:\CertName.cer

 

Be wary of the above commands if Outlook modified the hyphens.

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael Leone
Sent: Wednesday, March 4, 2020 2:19 PM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Re: MS CA and Subject Alternate Names

 

ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org.

On Wed, Mar 4, 2020 at 4:57 PM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:

It has been a while, but I seem to remember there was an option like "complete certificate request" that would go and pick up the approved cert and install it in the Personal certificate store.

 

Don't recall seeing that, but I'll look again tomorrow.

 

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh7uMsnxOVBNMrx0Qa6CZsR4pGLp8OkBaEktimhpbftTQ%40mail.gmail.com.

Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.

[Michael Leone]

On Wed, Mar 4, 2020 at 5:42 PM Orlebeck, Geoffrey <Geoffrey...@montagehealth.org> wrote:

As long as the machine/user has permissions, you can retrieve the certificate form the Sub CA via command line using certreq:

 

certreq –retrieve <Request ID> <Output Path>

Example: certreq –retrieve 21 C:\CertName.cer

 

If you want to import the certificate

certreq –accept <Cert Path>

Example: certreq –accept C:\CertName.cer

Good to know! Odd that you have to retrieve by the ID number, rather than hostname (which would be a lot easier to remember). Still, useful stuff ..