{"id":1536,"date":"2021-12-21T11:53:29","date_gmt":"2021-12-21T17:53:29","guid":{"rendered":"https:\/\/it.thelibrarie.com\/weblog\/?p=1536"},"modified":"2021-12-21T11:53:29","modified_gmt":"2021-12-21T17:53:29","slug":"windows-certificate-authority-san","status":"publish","type":"post","link":"https:\/\/it.thelibrarie.com\/weblog\/2021\/12\/windows-certificate-authority-san\/","title":{"rendered":"Windows Certificate AUthority SAN"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Installed a new certificate authority on Windows Server 2019 and was attempting to utilize the http:\/\/localhost\/certsrv to issue a new certificate to my website (RDS, also on 2019). It wasn&#8217;t going well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First I opened the certificate authority and noticed that Certificate Templates was not showing up as a subdir. That was fixed by removing the certificate authority and reinstalling as an Enterprise Standalone CA (you may be able to get to there by changing the DWORD value from HKLM\\SYSTEM\\CurrentControlSet\\services\\Certsvc\\Configuration\\YOURCAFQN\\CAType to &#8220;0&#8221;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then I went to Certificate Templates and duplicated the Web Server one, right-click Certificate Templates and select Manage, then checkbox for &#8220;Allow private key to be exported&#8221; on the Copy of Web Server template.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I forgot to then right-click again on Certificate Templates and select New > Certificate Template To Issue, then select the Copy of Web Server I created earlier. So I fixed that too.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I probably changed the permissions of the template to include Authenticated Users to be able to enroll\/read\/write certs prior to all that published above.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then I navigated to http:\/\/localhost\/certsrv and clicked through:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Request a certificate<\/li><li>Advanced certificate request<\/li><li>Create and submit a request to this CA<\/li><li>&#8220;Yes&#8221; to the this website is attempting to perform a digital certificate operation<\/li><li>Certificate template drop down to my Copy of Web Server<\/li><li>Name of rds.domain.tld, keysize of 2048, Mark keys as exportable, attributes &#8220;san:dns=rds.domain.tld&amp;nameofserver.domain.tld&#8221; without the quotes, friendly name of rds.domain.tld<\/li><li>Submit<\/li><li>Install<\/li><li>Open MMC for Certificates (personal\/user)<\/li><li>Under the Personal > Certificates store, you&#8217;ll find your installed certificate<\/li><li>Right-click and export this cert with key; I used a passphrase<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">From here I added it to the RDS system certificates (my RDS 2019 server has all roles of Gateway Broker and Session host in-one).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately I noticed that my SAN (subject alternate name) wasn&#8217;t working on the certificate. There&#8217;s a command to address the attribute required to support SANs:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Open command as an administrator (on the Certificate Authority)<\/li><li>certutil -setreg policy\\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2<\/li><li>Restart the Active Directory Certificate Services service (or the entire server if you want)<\/li><li>Re-run the aforementioned SAN cert commands and now export; profit.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Installed a new certificate authority on Windows Server 2019 and was attempting to utilize the http:\/\/localhost\/certsrv to issue a new certificate to my website (RDS, also on 2019). It wasn&#8217;t going well. First I opened the certificate authority and noticed that Certificate Templates was not showing up as a subdir. That was fixed by removing &hellip; <a href=\"https:\/\/it.thelibrarie.com\/weblog\/2021\/12\/windows-certificate-authority-san\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Windows Certificate AUthority SAN<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-1536","post","type-post","status-publish","format-standard","hentry","category-microsoft"],"_links":{"self":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/1536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/comments?post=1536"}],"version-history":[{"count":1,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/1536\/revisions"}],"predecessor-version":[{"id":1538,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/1536\/revisions\/1538"}],"wp:attachment":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/media?parent=1536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/categories?post=1536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/tags?post=1536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}