2

I am trying to follow the instructions in this article to create a custom certificate to support SSL on a web server.

I'm stuck on the following step:

Click on Personal – All Tasks – Advanced Operations – Create Custom request

The problem is that on the web server (Windows Server 2003 R2) I don't have an "Advanced Operations" option under "All Tasks". I do on my desktop machine (Windows 7), but not on the server. All the documentation I can find indicates that it should be available on WS-2003-R2, but it just isn't.

Note: I'm going through this manual process because I need to specify a alternate host names in the CSR, which you can't do through the IIS 6.0 console certificate managment functionality.

Any suggestions for how to make this option show up?

JohnFx
  • 225
  • 2
  • 11

1 Answers1

5

That menu option is not a feature on Windows 2003 R2.

You may want to do this through the command line, it is more flexible.

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN
http://support.microsoft.com/kb/931351

http://technet.microsoft.com/en-us/library/cc736326%28WS.10%29.aspx

http://blogs.technet.com/b/niraj_kumar/archive/2009/02/11/how-to-request-certificate-from-third-party-ca-and-install-it-on-the-machine.aspx

certreq -new request.inf certnew.req

certreq -accept cert.cer

C:\UTIL>certreq -v -?
certreq.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
    Submit a request to a Certification Authority.
    -attrib AttributeString
    -binary
    -config ConfigString
    -crl
    -rpc

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.
    -binary
    -config ConfigString
    -crl
    -rpc

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn
    -attrib AttributeString
    -binary
    -cert CertId

  CertReq -Accept [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.
    -attrib AttributeString
    -binary
    -cert CertId

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a cross certification or qualified subordination request.
    -binary
    -cert CertId
    -crl

Description:
  -any                    - Force ICertRequest::Submit to determine encoding type
  -attrib AttributeString - Request attribute string
  -binary                 - Output files in binary format instead of Base64-encoded
  -cert CertId            - Specify signing certificate by common name,
                            serial number, or by sha-1 Key or cert hash
  -config ConfigString    - Server\CertificationAuthority config string
                            or use a single minus sign (-) as config string
  -crl                    - Include CRLs in CertChainFileOut or
                            RequestFileOut
  -f                      - Force overwrite of existing files
  -q                      - Suppress all interactive dialogs
  -rpc                    - Use RPC instead of DCOM server connection
  -v                      - Display Full Response Properties
  -?                      - Display this usage message

  RequestFileIn           - Base64-encoded or binary input file name:
                            PKCS10 certificate request,
                            CMS certificate request,
                            PKCS7 certificate renewal request,
                            X-509 certificate to be cross-certified, or
                            KeyGen tag format certificate request
  RequestFileOut          - Base64-encoded output file name
  PKCS10FileOut           - Base64-encoded PKCS10 output file name
  CertFileOut             - Base64-encoded X-509 file name
  CertChainFileOut        - Base64-encoded PKCS7 file name
  FullResponseFileOut     - Base64-encoded Full Response file name
  ConfigString            - Backslash separated Server Name and Certification
                            Authority Name: MachineDnsName\CAName
  AttributeString         - Colon separated Name and Value string pairs
                            Each pair separated by a backslash and "n"
                            Example: "Name1: Value1\n Name2: Value2"
  PolicyFileIn            - INF file containing a textual representation
                            of extensions used to qualify a request

[NewRequest]
    Subject = "CN=..,OU=...,DC=..."
    PrivateKeyArchive = TRUE
    KeySpec = 1
    KeyLength = 1024
    RenewalCert = CertId
    SMIME = TRUE
    Exportable = TRUE
    UserProtected = TRUE
    KeyContainer = "..."
    MachineKeySet = TRUE
    Silent = TRUE
    ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
    ProviderType = 1
    UseExistingKeySet = TRUE
    RequesterName = DOMAIN\User
    RequestType = PKCS10 | PKCS10- | PKCS7 | CMC
    KeyUsage = 0x80
    EncipherOnly = TRUE
Greg Askew
  • 35,880
  • 5
  • 54
  • 82