6/05/2009

Certificates for internet-based site systems in SCCM

Internet-based site systems in SCCM needs certifcates which has server authentication purpose e.g. Webserver Certificate. Important for this certificates is the FQDN name of the Server (or the defined DNS Alias) in either the certificate subject name field or the subject alternative name (SAN) field.
For Example: MYSCCM01.MYDOMAIN.LOCAL or SCCM.MYDOMAIN.COM

BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!

Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:

certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2

After this stop and start the CA service

net stop certsvc && net start certsvc

Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.

No comments: