Certificate Services – Create a ‘Wildcard Certificate’

KB ID 0001128 Dtd 11/01/16


Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!


Process carried out on Windows Server 2012 R2

Windows Key +R > MMC > {Enter} > File > Add/Remove Snap-in.

Ad Snapin

Certificates > Add.

Certificate Snapin

Computer account > Next.

Computer Certificates

Local Computer > Finish.

Local Computer Certs


MMC Certificates

Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.

Custom Certificate Request

Proceed without enrolment policy > Next.

Skip enrollment policy

In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.

Wildcard CSP Provider

Wildcard Legacy CSP

Details > Properties.

Certificate Request

General Tab: Friendly Name > *.{your domain}.

Wildcard Windows Certificate

Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.

Certificate Services 2012 Wildcard

Extensions Tab: Add in Digital Signature and Key Encipherment.

Wildcard Extensions

Private Key: Key Size=4098 > Make private key exportable > Apply > OK.

Wildcard Cert Key Length

Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).

Cert Request Wildcard

Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.

cert request text

Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.

Request Wildcard Cert

Advanced Certificate Request.

Advanced Cert Request

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Advanced Cert Request

Paste in the Text > Certificate Template = Web Server > Submit.

Certificate Services generate Wild Card

Base 64 encoded > Download certificate.

Base 64

Save the certificate, and change its name from certnew > Save.

Save Wildcard Certificate

Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.

Import Wildcard


Cert Import Wizard

Navigate to the certificate you have just saved.

Save Wildcard car


Certificate Store


Complete Cert Wizard


Successful Cert Import

Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.

Export to PFX



Yes, export the private key > Next.


Personal Information Exchange > Next.


Enter and re-type a password (You will need this to import the certificate so remember it) > Next.


Save it somewhere you can find it > Next.


Finish > OK.


Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

1 Comment

Submit a Comment

Your email address will not be published. Required fields are marked *