SSL Certifcate Request s2003 DC CA DNS Name not Avaiable

3

I am trying to submit a request for an SSL certificate on a Domain Controller in order to enable LDAP SSL, and having no end of problems.

I am following the information provided at http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 & http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl

Steps taken so far:

  1. Create Servername.inf with the following information

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=servername.domain.loc" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    ;-----------------------------------------------

  2. Create Certificate request by running: certreq -new Servername.inf Servername.req

  3. Attempt to submit Certificate request to CA by running: certreq -submit -attrib "CertificateTemplate: DomainController" request.req
  4. At which point I get the following error: The DNS name is unavailable and cannot be added to the Subject Alternate Name. 0x8009480f (-2146875377)

Trouble shooting steps I have taken so far 1. Modify the Domain Controller Template to supply Subject Name in Request restart Certificate Service, include SAN in Request, same error. 2. Re-installed Certificate Services / IIS / Restarted machine countless times

Any help resolving the issue would be greatly appreciated.

windows-server-2003
ssl-certificate
certificate-authority
asked on Server Fault Apr 29, 2010 by Beuy

2 Answers

1

I found the solution here: http://www.techpository.com/?page_id=1364 You need to edit the template to use the request supplied subject name instead of building it from AD.

Here are the relevant steps that i followed:

  1. Click start->run, then key in command mmc
  2. Click File in the mmc console, then select Add/Remove Snap-in…
  3. Click Add… buton in the Add/Remove Snap dialog
  4. Select Certificate Templates, Click Add
  5. Close the window in step 4) available standalone snap-in window.
  6. You will see “Certificate Templates”, Click OK.
  7. Find “Domain Controller Authentication” in “Console Root\Certificate Templates”
  8. Double click “Domain Controller Authentication” to open it.
  9. Select the “Subject Name” tab, then select “Supply in the request”, click Apply

After editing the template you need to remove and add it to the CA again.

answered on Server Fault Jul 14, 2015 by datagutten • edited Jul 14, 2015 by sebix
-1

Check in the Active Directory for servername.domain.loc's entry. Look at its properties, check its DNS name attribute. If it is empty, add the DNS name.

answered on Server Fault May 25, 2010 by RainDoctor

User contributions licensed under CC BY-SA 3.0