Certificate Services – Create a ‘Wildcard Certificate’

Advertisement

KB ID 0001128 Dtd 11/01/16

Problem

Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!

Solution

Process carried out on Windows Server 2012 R2

Windows Key +R > MMC > {Enter} > File > Add/Remove Snap-in.

Ad Snapin

Certificates > Add.

Certificate Snapin

Computer account > Next.

Computer Certificates

Local Computer > Finish.

Local Computer Certs

OK.

MMC Certificates

Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.

Custom Certificate Request

Proceed without enrolment policy > Next.

Skip enrollment policy

In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.

Wildcard CSP Provider

Wildcard Legacy CSP

Details > Properties.

Certificate Request

General Tab: Friendly Name > *.{your domain}.

Wildcard Windows Certificate

Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.

Certificate Services 2012 Wildcard

Extensions Tab: Add in Digital Signature and Key Encipherment.

Wildcard Extensions

Private Key: Key Size=4098 > Make private key exportable > Apply > OK.

Wildcard Cert Key Length

Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).

Cert Request Wildcard

Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.

cert request text

Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.

Request Wildcard Cert

Advanced Certificate Request.

Advanced Cert Request

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Advanced Cert Request

Paste in the Text > Certificate Template = Web Server > Submit.

Certificate Services generate Wild Card

Base 64 encoded > Download certificate.

Base 64

Save the certificate, and change its name from certnew > Save.

Save Wildcard Certificate

Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.

Import Wildcard

Next.

Cert Import Wizard

Navigate to the certificate you have just saved.

Save Wildcard car

Next.

Certificate Store

Finish.

Complete Cert Wizard

Hopefully.

Successful Cert Import

Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.

Export to PFX

Next

00029

Yes, export the private key > Next.

00030

Personal Information Exchange > Next.

00031

Enter and re-type a password (You will need this to import the certificate so remember it) > Next.

00032

Save it somewhere you can find it > Next.

00033

Finish > OK.

00034

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *