Microsoft

Windows Certificate AUthority SAN

Leave a comment

Installed a new certificate authority on Windows Server 2019 and was attempting to utilize the http://localhost/certsrv to issue a new certificate to my website (RDS, also on 2019). It wasn’t going well.

First I opened the certificate authority and noticed that Certificate Templates was not showing up as a subdir. That was fixed by removing the certificate authority and reinstalling as an Enterprise Standalone CA (you may be able to get to there by changing the DWORD value from HKLM\SYSTEM\CurrentControlSet\services\Certsvc\Configuration\YOURCAFQN\CAType to “0”.

Then I went to Certificate Templates and duplicated the Web Server one, right-click Certificate Templates and select Manage, then checkbox for “Allow private key to be exported” on the Copy of Web Server template.

I forgot to then right-click again on Certificate Templates and select New > Certificate Template To Issue, then select the Copy of Web Server I created earlier. So I fixed that too.

I probably changed the permissions of the template to include Authenticated Users to be able to enroll/read/write certs prior to all that published above.

Then I navigated to http://localhost/certsrv and clicked through:

  • Request a certificate
  • Advanced certificate request
  • Create and submit a request to this CA
  • “Yes” to the this website is attempting to perform a digital certificate operation
  • Certificate template drop down to my Copy of Web Server
  • Name of rds.domain.tld, keysize of 2048, Mark keys as exportable, attributes “san:dns=rds.domain.tld&nameofserver.domain.tld” without the quotes, friendly name of rds.domain.tld
  • Submit
  • Install
  • Open MMC for Certificates (personal/user)
  • Under the Personal > Certificates store, you’ll find your installed certificate
  • Right-click and export this cert with key; I used a passphrase

From here I added it to the RDS system certificates (my RDS 2019 server has all roles of Gateway Broker and Session host in-one).

Unfortunately I noticed that my SAN (subject alternate name) wasn’t working on the certificate. There’s a command to address the attribute required to support SANs:

  • Open command as an administrator (on the Certificate Authority)
  • certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  • Restart the Active Directory Certificate Services service (or the entire server if you want)
  • Re-run the aforementioned SAN cert commands and now export; profit.

Leave a Reply

Your email address will not be published. Required fields are marked *