Requesting Web Server certificates from an Enterprise CA

One of the things I have never been able to figure out, is why you cannot request a certificate based on the Web Server template from a Windows Enterprise CA when you are using the CA web pages (<servername>/CertSrv). Ever since Windows 2000 I have occationally stumbeled on this problem but never had time to really investigate it. I still have not found out why the Web Server template is unavailabe, but I have found a workaround.
By using the certreq.exe utility you can successfully request and receive a certificate from an Enterprise CA. The command you use is:
certreq -submit -attrib “CertificateTemplate:WebServer” <request_file>
The request file is any text file (.cer, .req etc.) that contains the Base64 encoded certificate request generated by your server. Typically a web server. When you run this command you are prompted to select the CA from which you would like to request the certificate and the name of the file in which to save the issued certificate. You can also specify these options on the command line.
Since this works, the problem must lie in the CA web pages. If anyone has an explanations as to what may be the problem I would be very interested.
The reason that I went a little further in trying to crack this problem this time, was that I was setting up my Virtual Server host and was unable to get a certificate for the Virtual Machine Remote Console (VMRC). The administration web pages for Virtual Server cannot send a certificate request directly to an online CA, but rather have to generate a Base64 encoded request which you have to submit to your CA manually and then upload the issued certificate to Virtual Server. Using the above command I was finally able to get a certificate. For those of you wondering; no you cannot use one of the certificates that the computer running Virtual Server has in its certificate store. Virtual Server runs under the Network Serivce account which does not have access to those certificates. Some more information about the exact reason for this is availabe here:
Finally, the SSL certificate for the Virtual Server administration site itself can be retreived in IIS using the request new certificate option.

Leave a Reply

Your email address will not be published. Required fields are marked *