Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
rgh

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #1 
So I have an ancient server! It's not in a domain.

I want to install a certificate on it from a Certificate Authority. Using the mmc Certificates snap-in, only works, I think, when the server is part of a domain.

Is there some way, maybe some command line method,  of installing a certificate on such a server?

Does anyone remember that far back?
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 219
Reply with quote  #2 
Windows 2000 has certreq, which can be used to generate a request file using an input (.inf) file. Submit this to a CA to generate the certificate. I hesitate giving more details, because it's for sure going to be different from current OS's. Also, you could try the CA Website if it's installed. For that you don't need a request file.

Also, the CA must be compatible. If it's in SHA2 mode (as it should...) you won't be able te generate a cert that can be understood by W2000 which operates on SHA1.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
rgh

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #3 
Thanks for your help wkasdo, I've got the problem resolved now.

The server I needed to install on was win 2003, although I had a 2000 server that I was free to mess around with. I think the procedure is similar.

I used certreq, plus 3 additional steps:

I installed a hotfix as in kb938397. Not sure if that step was actually required.
The certificate I got had at the top of it's path a Certification Authority, the certificate for which never originally shipped with 2003, so I imported it.
I had to put the certificate fingerprint at a certain key in the registry. Horrible!



0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 77
Reply with quote  #4 
It sounds like you've solved your problem but for future reference, there is another way for non-domain members to request a certificate. You can still go in the MMC but you do an advanced request and save the request to a file (a text file you can open in Notepad). You paste the content in the web interface of your issuing certificate authority, issue the certificate and then import it (probably with the entire chain in these circumstances).

Plain MMC is the preferred method but there's lots of cases where MMC that is not an option at all. Non-Windows servers or appliances obviously do not have the MMC. Or request coming directly from an application that uses OpenSSL for the certificate functions.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.