Windows Server 2008 R2 wildcard certificate creation with AD CS

Forums › Microsoft Windows › Windows Server 2008 R2 wildcard certificate creation with AD CS

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#80185 28-Mar-2011 15:41

Hi team,

Does anyone know of a good guide/tutorial for how to create a wildcard certificate? Before I buy one I want to be sure FTMG will perform the SSL routing (by URL) I desire so need to generate one for testing.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#460097 18-Apr-2011 13:21

So I've created the Certificate Services server with a webpage for submission. Then used Opensso (Open SUSE) to create the CSR, but the Certificate Created is not accepted by FTMG.

Note: Microsoft AD propogates the Certificate Services Server as Trusted Root on all other machines on the domain.

Norton

Get easy to use, easy to install Norton antivirus protection against advanced online threats (affiliate link).

Zeon

3876 posts

Uber Geek

Trusted

#460099 18-Apr-2011 13:22

Not answering the question buuut - why not get more IPs - sooo much more simple.

Speedtest 2019-10-14

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#460100 18-Apr-2011 13:26

Hmmm, I suspect my problem is that I did not create the CSR on the target host?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#460103 18-Apr-2011 13:29

Zeon: Not answering the question buuut - why not get more IPs - sooo much more simple.

$$$$$$

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#460104 18-Apr-2011 13:30

To put in context, this at my home, not a commercial solution, just a self training exercise.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#460516 19-Apr-2011 14:37

So, got this working. The important part was to use

certreq.exe -new

(and not a third party) with the following reqest.inf file (I went to this and then away again as it did not present a UI)

[NewRequest]
Subject = "CN=*."
MachineKeySet = True
KeyLength = 2048
KeySpec=1
[RequestAttributes]
CertificateTemplate = WebServer

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#460634 19-Apr-2011 20:12

the scenario you posted will work for several servers from the same SSL listener. you may run into problems if you need different authentication methods defined on the listeners. e.g. one for forms based AD integration for exchange web access, a different one for basic auth passthrough (e.g. web server with user/pass) and a different one again for RPC over HTTPS

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#461197 21-Apr-2011 08:56

Yes, indeed I have. Cannot get RDGateway to work in this configuration. I'm not sure I'm going to be able to get everything I want to work through a single IP address. So far I have SharePoint, OWA and a basic Web Site configured. Critically I need the HTTPS proxy for Exchange and ActiveSync to work, which I have my doubts will be successful.

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#461454 21-Apr-2011 20:51

you can always serve up HTTPS/RPC over a custom port. ActiveSync too, but its more a pain configuring phones to use custom ports

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

networkn

Networkn
30207 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#461470 21-Apr-2011 21:50

I can't even see how to tell my phone to use a non standard port to connect to activesync over ssl. If you can tell me, I will have a statue erected in your honour!

I have android 2.3

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#461486 21-Apr-2011 23:26

networkn: I can't even see how to tell my phone to use a non standard port to connect to activesync over ssl. If you can tell me, I will have a statue erected in your honour!

I have android 2.3

if its supported, i would expect that you would just enter server name as myexchange.co.nz:444. This plus the ssl required flag should result in calls to https://myexchange.co.nz:444/ . Assuming its supported....

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Regs

4064 posts

Uber Geek

Trusted

Snowflake

#461487 21-Apr-2011 23:27

hmm. lots of hate for google about this being an issue in android here: http://code.google.com/p/android/issues/detail?id=4901

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#461616 22-Apr-2011 15:56

I'm abandoning TS Gateway and just going to try and get Exchange and SharePoint to work, if even that is achievable, the listener configuration for the two may conficting requirements, oh well, so much for cutting over this weekend.