Working with SSL Certificates
Generating a CSR and importing the certificate with certreq
- Log on on the host which runs the Client Access Server.
- Prepare a text file request.inf with the following content
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] ; replace Subject attributes in the line below with real values Subject = "CN=hostname, OU=Department, O=Organisation, L=Locality, S=State, C=Country" KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = hostname MachineKeySet = TRUE SMIME = Falsedg PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = Microsoft RSA SChannel Cryptographic Provider ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] ; this is for Server Authentication OID=1.3.6.1.5.5.7.3.1 [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=hostname.local&" _continue_ = "dns=mailstore&" ;-----------------------------------------------
- Adjust the Subject, FriendlyName and Extensions fields according to you infrastructure. Remove the entire [Extensions] section, if you do not need SANs. Save the file.
Hint:When there are any SANs defined, the CN in the Subject field will be ignored by clients, therefore you have to add all possible hostnames to the SAN extensions.
- Open an elevated command prompt and navigate into the directory where the request.inf is stored.
Creating the CSR
certreq -new request.inf request.csr
Validating the CSR
certutil -dump request.csr
- Submit the CSR to your CA. You will get a signed certificate in return.
Importing the certificate
certreq -accept certificate.cer
- Verify with certlm.msc or mmc that the certificate is imported properly in the hosts Personal store and that a matching private key can be found.
- Replace the self-signed certificates in the Client Access Server.
Creating a self signed certificate
The makecert.exe utility is included in the SPE's installation directory. It can be used to create self-signed certificate.
makecert.exe -r -pe -n "CN=hostname" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha1 -len 2048
Replace hostname with your hostname. The certificate will be stored in the host's personal certificate store and can be used in the Client Access Server configuration.
Converting a PEM/CRT into a PFX container with OpenSSL
When the CSR was created with OpenSSL, the private key is not stored in the hosts private key archive automatically. You have to merge private key, certificate and the certificate chain into one PFX container, and import this container into the host's personal certificate store.
Merging the files
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Importing the certificate
certutil -importpfx certificate.pfx
Private key of certificate is missing
Sometimes the matching private key cannot be found. The services will throw the error "A Specified Logon Session Does Not Exist. It may already have been terminated." while starting. The following command tries to fix this issue
certutil -repairstore my SerialNumber
where SerialNumber is the serial number (not fingerprint) of the certificate to be repaired.
When the service still does not start, you have to re-import the certificate.
Weblinks
Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name