Thursday, November 19, 2015

Online and Offline Request in Server 2008

The simplest process is a basic online request which will contact the Windows CA directly through the network to issue the request data.  The generated private key stays on the requesting server at all times, and then CA will immediately return an approved certificate file back to the requesting server, which in turn automatically imports it in to the correct store and attaches the private key to it.  If anything specific to the environment prevents this process (e.g. network access to the CA, insufficient permissions to perform requests, disabled ‘Web Server’ template, etc.) then skip to the Offline Request section of this article.
  • From a domain-connected Windows 2008 Server launch the Internet Information Services (IIS) Manager (inetmgr.exe) and in the Connections window pane highlight the server object.
image
  • In the main window (focused to Features View) open the Server Certificates feature under the IIS section.
image
The main window pane will now show a list of all Personal certificates installed on the local server.  (These are the same objects that appear in the Certificates MMC snap-in under the “Local Computer\Personal” store.)
  • From the Action pane of Internet Information Services (IIS) Manager select Create Domain Certificate which will launch a wizard to request, issue, and import a new server certificate all in one pass.
image
  • In the Distinguished Properties window of the Create Certificate wizard enter the desired information in each field.  The Common Name field is most important as this is the identity the server or application presents to remote hosts when attempting to establish secure communications. 
image
As a best practice it is always recommended to fill out each of the identity fields so that the entire distinguished Subject Name field is formatted in a way that most applications expect to see it. Do not leave any of the fields blank; it is also a good idea to refrain from special characters or other non-alphanumeric digits when at all possible.
  • In the Online Certification Authority window browse for the desired internal CA and then enter a Friendly Name.
image
  • Click Finish and if successful the new certificate will almost immediately appear in the server list.
image
View the certificate details and validate that the private key was successfully assigned to the certificate.
image
Reviewing the certificate details shows the Subject Name, key bit length, and certificate template used.
image
image
image

Offline Request Process

In the event that a different key bit length needs to be requested or a custom certificate template must be designated then these can be addressed by submitting an offline request which breaks up the previously shown process into three separate manual steps: request, submission, and completion.

Create Certificate Request

    • From the Action pane of Internet Information Services (IIS) Manager select Create Certificate Request which will launch a wizard to create a request and save the contents to a text file.
image
  • In the Distinguished Properties window of the Request Certificate wizard enter the desired information in each field. The Common Name field is most important as this is the identity the server or application presents to remote hosts when attempting to establish secure communications.
image
  • In the Cryptographic Server Provider Properties window select the desired options.  Rarely will a setting other than the Microsoft RSA SChannel option be selected, but it is becoming more common to increase the bit length above the default 1024 value.  Many public CAs are no longer issuing certificates for requests generated with a 1K bit length, so moving up to more secure 2048-bit requests are more common-place.
image
  • In the File Name window enter a path and name for where the request file should be saved on the local server.  Common file extensions are either .txt or .req and either can be used interchangeably.
image
To verify that the data was correctly written to the file open it up with Notepad and the text should look something like the image below.
image

Submit Certificate Request

For requests submitted to a public CA simply copy/paste the text from the generated file to that CA’s request form and then wait for the completed .cer file to be sent back and then skip to the next section
image
But for internal requests there are multiple ways to submit them to a Windows CA. Depending on the tools and permissions available some of these approaches may not work in certain environments.  If access is prevented for certificate submissions then send the request text file to the appropriate personnel and wait for them to send back the certificate file, then jump to the next section to complete the request.
Assuming that both connectivity to the CA and the appropriate permissions are available then follow these basic steps to submit the request to the Windows CA using certreq.exe from the standard Windows command prompt.
  • From the same server open the standard Windows Command Prompt.  (If network connectivity to the CA is not available from this host then copy the request file to the CA server or anther Windows server with access and run these commands from that system.)
  • Change to the current directory where the new request file was saved (e.g. C:\Temp) and issue the following command:
certreq.exe -submit -attrib "CertificateTemplate:WebServer" newcert.req newcert.cer

The CertificateTemplate attribute can be used to supply the name of whatever the custom template’s name is in the CA, assuming that template was configured in a way that is still compatible with the type of request generated.
  • In the Certification Authority List pop-up window select the desired Windows CA to submit the request against.
image
The results of the command should indicate a successful request and the resulting certificate file will be written to a new text file in the same directory as indicated in the command (newcert.cer).
image
As the Request ID is displayed in the output above, then the details of the issued certificate can be verified on the CA itself by opening theCertificate Authority administrative tool on the CA server and then browsing to the Issued Certificates container to look for the matching ID.
image

Complete Certificate Request

Before completing the request locate and open the newly generated certificate file (newcert.cer).  Notice that the private key description is missing from the General tab information.
Although this appears to look like a ‘certificate’ file it is actually just the public key portion that is generated by the CA, the all-importantprivate key portion is still stored locally on the requesting server and the two items need to be joined together to create an actual functioning certificate pair.  Without a valid private key nothing can be decrypted which was encrypted using the public key.
image
Although this appears to look like a ‘certificate’ file it is actually just the public key portion that is generated by the CA, the all-importantprivate key portion is still stored locally on the requesting server and the two items need to be joined together to create an actual functioning certificate pair. Without a valid private key nothing can be decrypted which was encrypted using the public key.
  • From the Action pane of Internet Information Services (IIS) Manager select Complete Certificate Request.
image
  • In the Specify Certificate Authority Response window browse for and select the certificate file (newcert.cer) and provide a Friendly Name for the certificate, then complete the wizard.
image
View the properties of the new certificate and this time the General information will indicate that the private key has successfully been linked to the new certificate.
image

No comments:

Post a Comment