Request and Enroll Multi-SAN certificates on Windows Server 2012

In one of my recent deployments, the customer asked to keep the existing naming convention of his domain, keeping it as “SRV_SVC_01.domain.local”. If you’ve been around long enough, you know that names that contain underscores ( _ ) are a little frowned upon. Windows will ask you if you really want to use this name when you changed the machine’s name, but will let you go through with it.

The bigger issue started when I tried configuring an IIS ARR web farm on to publish an Office Web Apps Server for this one. IIS will not accept underscores in names so that presented an issue. Also, the Office Web Apps server was already configured and published in the topology so changing the name now wasn’t really an option. Usually I’ll just create some random name and add that to the host file on the IIS ARR box, but since we’re using HTTPS here, the published name (the name the IIS ARR machine is accessing) must natch the name on the certificate. The only solution I though of was to use a multi SAN certificate.

By default, requesting a domain certificate sing the IIS wizard will generate a certificate with the server’s CN and you’ll be able to bind this to the HTTPS port of the server. Unfortunately, there’s no way to add additional names to this request.

The workaround – Manually submit a Web Server certificate request.

Let’s cover these steps:

Open the local machine’s certificate console and request a new certificate:


Run through the next screens until you reach the certificate template choice. Most of the odds are you’ll see this:


Hit “Show all templates” and scroll down to “Web Server”, you won’t be happy to see the following:

WebServerWell, how do we do that now…

Log on to your CA and open the Certification Authority management console, scroll down to “Certificate Templates”, right-click it and choose “Manage”:

ManageOn the new “Certificate Template Console”, locate your Web Server template, right-click it and choose “Properties”:


On the Web Server window, click the Security tab. Add the Computer you’re trying to enroll the certificate for (user accounts can’t be used here since we’re enrolling on behalf of the machine), then tick the “Enroll” box:


Now go back to the machine and try to re-enroll the certificate; You’ll see that you now have the Web Server certificate template available:


Tick Web Server certificate box and click on the “More information required….” link.
In the new window, do the following:
For the Subject Name – choose “Common name” for “Type” and enter your server’s FQDN in the value field, than click “Add”.
For Alternative names – choose DNS and enter the FQDN (or FQDNs) you’d like to use in the value field and click “Add”:


When done, click OK and then “Enroll” on the next window. This will initiate the certificate request. When enrolled. you’ll see the following:


You’ll now see the certificate in the Personal certificate store of the machine:



Create and enroll certificates for Certificate Based Authentication on mobile phones

The purpose of this step by step  article is to create user certificates with a validity period of 3 years instead of the default one year.

Since all users will visit the IT services desk to have the certificates installed on their mobile devices, we will use the “Enroll on behalf” option in ADCS 2008R2.

On my next article, we will see how to configure Forefront TMG 2010 to use Kerberos Constrained Delegation with Exchange Server 2010 SP1.

Note – not all steps are required in all organization. See what fits you best.

Logged on as the Domain Administrator, open the User certificate MMC Snap-in:

Right-click on the Personal certificate store, and choose “All tasks”, “Request new certificate”:

In the first window click ‘Next’:

Choose your enrollment policy:

In the certificate template screen choose “Enrollment Agent” and click “Enroll”:

This is what you should see:

The new certificate is in your personal certificate store and you can now enroll certificates on behalf of other users:

To assign this privilege to other users, right-click your personal certificate store, choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:

Click “Next” on the first screen:

Choose your Enrollment policy:

Click “Browse” to choose the enrollment agent certificate you just created:

Choose your certificate and Click “OK”:

Click “Next”:

Choose the “Enrollment Agent” certificate template again, and click “Next”:

Click “Browse” to select the user you would like to enroll the certificate to:

Here I chose one user from the helpdesk staff:

It looks like this, now Click “enroll”:

And now you can choose whether to enroll another user or finish the operation:

Now you can see that the IT Helpdesk users 1 and 2 have also the ability to enroll certificates on behalf of users:

That’s done; let’s create the certificate template for the mobile devices:

Open your CA console, expand to “Certificate templates”, then right click it and choose “Manage”:

This will open the certificate templates snap-in. Scroll down to the User certificate template and choose “Duplicate Template”:

It will ask you which template would you like to create – I normally choose Windows Server 2008:

Once you press OK, the new certificate template is opened. Name your certificate template and change the certificate validity period. I think 3 years is more than enough:

Switch to the “Issuance Requirements” tab and change the following:

· Check the “This number of authorized signatures” box and type ‘1’ in the box.

· Make sure that the policy type required in the signature is “Application policy”.

· Change the Application policy to “Certificate Request Agent” from the drop down menu.

· Click OK to close the template.

This is just half way. You also need to start the registry editor and go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA Name>.

There, look for the value “ValidityPeriodUnits” Change it from 2 (default) to as high as you want. Note that you can only set the validity period on the template to as much as it’s set on the registry (i.e. even if you set the certificate template to 10 years and the registry is set to 3, you will only be able to extend the validity period to 3 years). This change does not affect predefined templates.

Now you can see the template in the templates list:

Go back to your CA mmc snap-in, and from “Certificate Templates”, choose “New”, “Certificate template to issue”:

Choose your new template and click OK:

You can see it under “Certificate Templates”:

Now – Let’s request a certificate on behalf of a user:

Right-click your personal certificate store, then choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:

Click “Next” on the first screen:

Then, choose your Enrollment policy:

Click “Browse” to choose your enrollment agent certificate:

Choose your signing certificate and click “OK”: (Note you have more than one now)

Choose your new certificate and click “Next”:

Select the user you want to enroll the certificate to and click “Enroll”:

That’s it. Your user’s certificate is ready: