Apr 29 2011

Powershell: Enterprise CA, Create SAN certificates for IIS7 servers

We will show in this post how to create a SAN certificate for IIS 7 using an Enterprise PKI. This kind of certificate permits you to host multiple SSL sites on a single server. To achieve this with a powershell script we will use the PSRemoting and the IIS CmdLets.

We launch the script from the server where we administrate the PKI with ADCS RSAT. We will use PSRemoting for many things: Before sending the certificate request to the Certificate Authority in order to create the CSR on the IIS server. Once the certificate is issued we will retrieve it and install it to the IIS 7 server certificate store. Finally we will configure IIS 7 to use this certificate on the default web site.

First we have a look at the certificate template named 2008-Webserver, which is a duplicate from the default WebServer template:

Once the certificate request is submitted to the CA, it must be approved by a CA Manager. Subject information (SAN) is supplied in the request (CSR). Minimum key size is 2048 bits and the key is not exportable. CSR will be created with certreq.exe which uses a RequestPolicy.inf file as an input option that defines the certificate request parameters.

In that file we will add the Subject Alternate Name extension (i.e. the multiple URLs) to a particular section of the RequestPolicy.inf file:

You can find the above screenshot in this technet article, We will add the SAN to the Extensions section of the file. For security reasons you should never allow SAN certificates issuance by editing the RequestAttributes section on an Enterprise CA, do this only if you have a standalone CA.

Let’s have a look at the RequestPolicy.inf file ($iisinf):

[Version]
Signature=”$Windows NT$”

[NewRequest]
Exportable = FALSE
KeyLength = 204
RequestType = CMC
[RequestAttributes]
CertificateTemplate= 2008-WEBSERVER

[Extensions]
2.5.29.17 = “{text}”
_continue_ = “dns=webURL1.ldap389.info&”
_continue_ = “dns=webURL2.ldap389.fr&”
_continue_ = “dns=webURL3.ldap389.info&”

In order to build the CSR file on the remote IIS server ($webserver) with the certreq -new command, we will use the Invoke-Command CmdLet. If you want more information about PSRemoting I suggest you read Ravikanth Chaganti’s eBook.

Now you need to submit the CSR file ($iisreq) to the CA ($CAPath):

$array = @($CAPath,$iisreq)
$Requestforsigning = invoke-command $webserver {param($argarray);certreq.exe -config $argarray[0] -submit $argarray[1]} -ArgumentList $array,$null
$reqt = $Requestforsigning[0].replace('RequestId: ','')

Before the certificate is issued the request ID ($reqt) has to be accepted by a CA manager (you 🙂 ), for that use the certutil -resubmit $reqt command.

After that we need to retrieve the certificate ($iiscrt = ‘iis.crt’) and install it to the IIS 7 server certificate store, we use the Invoke-Command CmdLet again in order to launch powershell commands on the remote web server:

$array = @($reqt,$iiscrt,$CAPath)
invoke-command $webserver -scriptblock {
 param($argarray)
 certreq -config $argarray[2] -retrieve $argarray[0] $argarray[1]
 certreq -accept $argarray[1]
} -ArgumentList $array,$null

The SAN certificate is now installed in the local computer certificate store:

Finally we need to configure IIS, to achieve this we will use the WebAdministration CmdLets and follow the instructions given in this post. First we need to retrieve the certificate thumbprint using the certutil -view command:

$thumbprint = ((((certutil -view -restrict "RequestID=$reqt" -out CertificateHash csv)[1]).replace(' ','')).replace('"','')).ToUpper()

Then launch the following script on the remote IIS 7 server:

import-module WebAdministration
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
cd IIS:\SslBindings
Get-Item cert:\LocalMachine\MY\$thumbprint | new-item 0.0.0.0!443

There you go, your IIS server is set up and ready to share multiple HTTPS URLs on the same server.

Download the full script here:

You just need to change the following variables:

  • $CAPath: Certificate Authority path, %CA_Server_FQDN%\%CA_Name%
  • $webURL1, $webURL2, $webURL3: URLs to put in the SAN certificate, you will need to adapt the script if the number of URLs is different.
  • $CertTemplate: Name of your Webserver certificate template.
  • $webserver: IIS 7 server name.

This post is also available in: French

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

*

WordPress Themes

Blossom Icon Set

Software Top Blogs