IE6 check

Monday, August 27, 2012

Having fun in Microsoft CA land


This weekend I thought I was going to have some fun renewing the certificate on my Microsoft Exchange 2007 infrastructure that is deployed in my home production environment (migrating to a newer version of Exchange will be some future project). Thinking this was going to be quickly over, I reserved 15 minutes to do this...

While at this task, I thought, let’s do this properly. Previously, I enrolled the certificate for the web server with just the internal name of the exchange server. This was more than sufficient for my needs. Now however, while I was at it, I also wanted use the Subject Alternate Name for the box.
And then all fun started.

To tell this story chronologically, I also need to mention that my issuing CA was recently migrated from Windows Server 2003 to Windows Server 2008 R2. You know the drill: save the key material, export the databases, etc, and then set-up the new server with the same properties as the old one and import everything you have saved. No big deal. Job done in a couple of hours (the longest part of the exercise was installing all the hotfixes on the new server). 

This is part of the fun I was encountering: while enabling the CS role on my new server, I didn’t configure Web Enrollment. After all, I wanted to make sure I had a functional CA. Additional role services would come later (I had and have plans for deploying an OCSP responder, and of course Web Enrollment). More about this later.

So, I started my journey creating the certificate request. Not really hard to do: just use the Exchange PowerShell cmdlet for that (New-ExchangeCertificate), saving the resulting request file on my box (if you are PowerShell-challenged, you can use DigiCert's Exchange 2007 CSR Tool to generate the PS command you need). I then took that request file to my CA, launched the certificate services MMC, and entered my request. No go. The thing was complaining. Turns out, by default, Microsoft’s enterprise CA doesn’t like Subject Alternate Names.

There is no App for that, but there is a quick fix: one of the more or less hidden options is how to enable Subject Alternate Names. On the CA, you enter the command line

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

Once that is done, you stop and restart your CA and life is good. Almost.

With that issue fixed, I resubmit my request, to encounter the next error. Turns out that while generating the certificate request, no template name is included with the request, which the MMC doesn’t like.

OK. No problem. Just use the web enrollment tool. When using the web enrollment tool you can paste the content of your request and indicate in the same dialog what template you want to use.
So, quickly over to Server Manager to add the role service I didn’t install a couple of months back while migrating my CA. Server Manager refuses to install the role service …

At that point you can do one of two things: backup your entire CA configuration, uninstall your CA, re-install the CA with all the options you need (this time with Web Enrollment); or, search online what the heck is going on. At leedesmond’s blog I found the resolution: by changing the registry key SetupStatus at HKLM\System\CurrentControlSet\Services\CertSvc\Configuration to 0x6001 (it was at 0x6003 originally), installation of CA Web Enrollment role was re-enabled. I still don't know why by default you wouldn't be allowed to install this role services, but at least my problem is solved.

Two minutes later I finally had the cert I needed …

1 comment: