I’ve probably got all the steps jumbled up and backwards. But, hopefully this can one day become scripted in the right order with the right settings/permissions.
certreq: http://technet.microsoft.com/library/cc725793.aspx
- Use a template.inf file with certreq.exe -new to create the certificate request. This could probably be scripted similar to http://www.networkworld.com/community/node/18638.
- Use certreq –submit to process the request on the Issuing CA. Through the command line/powershell this automatically pops up some GUI windows to select configuration options and save the resultant .cer file.
- The .cer file seems a bit frustrating; why can’t I find a way to directly create a .pfx.
- I should probably set UserProtected = TRUE and maybe PrivateKeyArchive = TRUE in the .inf. It will probably prompt for a password at the time of certreq –new.
- Remember to use CertificateTemplate = WebServer
- Follow the instructions of Vadims Podans from http://social.technet.microsoft.com/Forums/windowsserver/en-US/d0f0fe74-d14a-4718-b00c-47545b56911d/submit-new-request-nothing-happens?forum=winserversecurity
- certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
- Use IIS’s Server Certificates Feature to “Complete Certificate Request …” into your Personal store
- Export the certificate to a .pfx file (maybe this won’t be necessary if the password is assigned at certreq –new) and add it to the Centralized Certificate Store
- Remember to setup the Centralized Certificate Store Feature at the root level
- On the site, in the https binding, check Use Centralized Certificate Store
- If the names match up, it will automatically be used
- Back in IIS’s Server Certificates Feature, Remove the certificate. It’s now being used from the Centralized Certificate Store.
0 comments:
Post a Comment