I ran into an interesting problem the other day. Basically, one of the admins at my client site needed to a Server Authentication certificate for an OCS pool he was bringing online. Naturally, considering this is OCS, the certificate needed a bunch of Subject Alternative Names (SANs). So, I told him to submit a CSR and I would get it approved.
However, there was just one problem. When he submitted the request, the Windows CA barfed stating:
"Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer/MyCustomWebServer"
Err... Needless to say, I thought that was strange. But, if you notice in the error message, the template being referenced from the CSR is the default WebServer certificate template. So... apparently, whoever created the OCS Certificate Wizard hardcoded is to use the default WebServer certificate template. And, since it was hardcoded to use a default certificate template, we couldn't use the wizard to generate the request. For you see... At this client, we choose not to use any of the default certificate templates and instead created custom certificate templates.
Well, that left this guy with a couple of options. One, tack on the SANs using the Web interface. Two, use certreq.exe to generate the request with the SANs. Needless to say, both options are a pain in the butt to ensure the request is formatted correctly.
That's when I had an idea. Why not just use the New-ExchangeCertificate cmdlet on a lab instance of Exchange Server 2007 to generate the certificate request. Not a bad idea, but like all EMS cmdlets... the parameters were a spaghetti monster. Luckily, there is a cool Web application from Digicert that helps you construct the command string for New-ExchangeCertificate cmdlet. Using this web application, my Exchange installation, and New-ExchangeCertificate cmdlet we completed the entire request process. Then we exported the certificate + private key into PFX file and shipped it over to his OCS servers to install.
Morals of the story:
With more than nine years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Group Policy, Windows scripting, Windows Rights Management Services, PKI, and IT security practices. Tyson is the author of the new book Windows PowerShell Unleashed (read a sample chapter and learn about the drawing for a free copy here). Tyson has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed and Microsoft Windows Server 2003 Unleashed (R2 Edition). He has also written detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson has worked with next generation Microsoft technologies since their inception and played a key role in expanding scripting and development practices. Tyson also holds the SANS Security Essentials Certification, Microsoft Certified Systems Engineer Security certification, CompTIA Security+ certification and SANS Certified Incident Handler certification.
Subscrib to Tyson Kopczynski's Hidden Microsoft feed.
Blog archive. Microsoft news RSS feed
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Post new comment