In my company there are a lot of servers which users remotely login to them to do their duties. We have enabled computer certificate auto enrollment for them to assure secure connection. But because we have some servers with multiple DNS records, it is probable that users don't use the main DNS name of the server or use the IP Address of it so they get certificate error when they are trying to connect. Therefore we want a way to include all the DNS records and the IP address of the server in the Subject Alternate Name of the certificate automatically.
Asked
Active
Viewed 1,389 times
3
-
How did you solve this problem? – user319862 Jun 26 '15 at 14:33
-
It is not solved yet. – Pezhman Toghia Aug 28 '15 at 08:10
1 Answers
0
As the neither the CA nor the sever know the DNS names your clients are using to access the server there is not way you can do this automatically. You need to specify the DNS names you'll like to to use. To do so you you need to create a custom request for the servers.
Create a file called requestSAN.inf with the content below
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "C=DE,O=YOUR-COMPANY-NAME,CN=SERVER.COMPANY.COM";
EncipherOnly = FALSE
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
[RequestAttributes]
;I assume you don`t use a customer Template, otherwise use the proper template
CertificateTemplate = WebServer
SAN="dns=SERVER.COMPANY.COM&dns=SERVER2.COMPANY.COM&dns=SERVER3.COMPANY.COM"
In the server execute the command below to generate the certificate signing request:
certreq -new requestSAN.inf certnew.req
submit the certnew.req to your CA and get the corresponding Certificate
Jofre
- 549
- 1
- 4
- 11