« Multiple websites prompting to download xd_proxy.css file all related to Facebook code changeMicrosoft's Exchange Server Deployment Assistant »

Installing an SSL certificate on your Domain Controller

02/05/11

Installing an SSL certificate on your Domain Controller

If you are in process of replacing your Domain Controllers from Server 2003 to Server 2008 R2, you will need to either move or replace your certificates as well. First you obviously have to add the 2008 servers to the Domain, Promote them, and assign their respective roles. Then you will need to Install an SSL certificate on each.

Microsoft has a technet article going over all the details of every environment and how to handle getting it configured here:

http://technet.microsoft.com/en-us/library/cc782583(WS.10).aspx

I'm just going to go through the quick process many people will use. That process should be followed if you are going to be using a Standalone CA to process certificates for a Domain Controller.

First off, on the Domain Controller we need to create an .inf file with the contents:

;;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------

Now in Command Prompt type:

certreq -new request.inf request.req

A new file is now created named request.req. Take that file and move it to the CA server.

Now run:

certreq -attrib "CertificateTemplate:DomainController" request.req

This will create an ID. Write that ID down as we will need it later.

Now we need to create an ASN file. There are a few ways you can do this, but the best way is to use the script MS put together for us here:

http://technet.microsoft.com/en-us/library/cc775547(WS.10).aspx

It will create an ASN file as well as several other files. Take the newly created ASN on the CA as well.

Now if you are running Server 2008 run the following command with elevated privlidges (If not, run it normally):

certutil -setextension <RequestID> 2.5.29.17 1 @<dcname>.asn

And from the CA run:

certutil -resubmit <requestID>
certreq -accept <dcname>.p7b

At this point you are finished. You should test to make sure it is functioning properly.

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives