In IIS, there is an option to 'Create Domain Certificate.' This works great except for one problem. The template that this process uses is the 'Web Server' template in the CA which has a key with only 1024 bits. I have duplicated this template and then changed the minimum key length to 2048.
I have an Enterprise CA running on Windows Server 2008 R2.
From the 2012 Server Start screen, open Internet Information Services (IIS) Manager. In IIS, click on the server name. Find the Server Certificate icon in the middle pane; double click to open it. Check the right pane for the Actions group and click Create Certificate Request. Generating certificate signing request (CSR) Step-1 Open Internet Information Services (IIS) Manager from the Start. Step-2 On the left panel, choose your server’s hostname in the Connections. Step-3 In the central panel, double-click on Server Certificates. Step-4 Select Create Certificate Request under the Actions menu on the right-hand.
Is it possible to have all the IIS servers in my domain use the new template when going through the 'Create Domain Certificate' wizard?
Andy SchneiderAndy Schneider
2 Answers
IIS's wizard will always use the Web Server template. You can't use the wizard if you want to create a certificate against a different template.
Annoying, huh?
Shane Madden♦Shane Madden
Here the technet guys sound rather proud of the fact that the IIS GUI doesn't recognize custom templates.
Take a look at this page. It describes how to generate an offline request where you can choose the template. Pay attention in step 6 to click details and properties to specify the friendly name if people will use a DNS alias to access the site. This is however and offline request, and still requires you use some cli to submit the request.
Take a look at this page. It describes how to generate an offline request where you can choose the template. Pay attention in step 6 to click details and properties to specify the friendly name if people will use a DNS alias to access the site. This is however and offline request, and still requires you use some cli to submit the request.
ClaytonClayton