Certificate Services – Create a ‘Wildcard Certificate’

KB ID 0001128

Problem

Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!

Solution

Process carried out on Windows Server 2012 R2

Windows Key +R > MMC > {Enter} > File > Add/Remove Snap-in.

Ad Snapin

Certificates > Add.

Certificate Snapin

Computer account > Next.

Computer Certificates

Local Computer > Finish.

Local Computer Certs

OK.

MMC Certificates

Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.

Custom Certificate Request

Proceed without enrolment policy > Next.

Skip enrollment policy

In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.

Wildcard CSP Provider

Wildcard Legacy CSP

Details > Properties.

Certificate Request

General Tab: Friendly Name > *.{your domain}.

Wildcard Windows Certificate

Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.

Certificate Services 2012 Wildcard

Extensions Tab: Add in Digital Signature and Key Encipherment.

Wildcard Extensions

Private Key: Key Size=4098 > Make private key exportable > Apply > OK.

Wildcard Cert Key Length

Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).

Cert Request Wildcard

Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.

cert request text

Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.

Request Wildcard Cert

Advanced Certificate Request.

Advanced Cert Request

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Advanced Cert Request

Paste in the Text > Certificate Template = Web Server > Submit.

Certificate Services generate Wild Card

Base 64 encoded > Download certificate.

Base 64

Save the certificate, and change its name from certnew > Save.

Save Wildcard Certificate

Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.

Import Wildcard

Next.

Cert Import Wizard

Navigate to the certificate you have just saved.

Save Wildcard car

Next.

Certificate Store

Finish.

Complete Cert Wizard

Hopefully.

Successful Cert Import

Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.

Export to PFX

Next

00029

Yes, export the private key > Next.

00030

Personal Information Exchange > Next.

00031

Enter and re-type a password (You will need this to import the certificate so remember it) > Next.

00032

Save it somewhere you can find it > Next.

00033

Finish > OK.

00034

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

13 Comments

    • I have followed your instructions several times making sure I am not missing any steps.
      All works beautifully until I reach your step :”
      Paste in the Text > Certificate Template = Web Server > Submit.”
      In this step I don’t have a Certificate Template field.

      Any suggestions, please?
      Thanks.

      Post a Reply
  1. Hi,

    I followed your guide to create a wildcard on my internal CA for use with some of my web servers, but am having an issue;

    When I add the exported PFX to my remote desktop deployment, Chrome gives me an untrusted error saying “ERR_CERT_COMMON_NAME_INVALID”

    When I look at the certificate info from Chrome, it says issued to *.domain.com, and I am accessing from rd.domain.com

    Any thoughts on why it is giving me a common name mismatch error when I can see it does match?

    Cheers
    Eds

    Post a Reply
    • Yes this is a common ‘bug’ in Chrome. Google the error.

      P

      Post a Reply
    • Add the SAN for DNS with the same wildcard info (eg. *.domain.com)

      Post a Reply
      • Hi,

        Thanks for the post.
        What exactly do you mean Jeremy? should I just add the *.domain.local to my DNS server? since it has a lot of records and I’ve more than 1 web server it doesn’t screw up all my A records?

        Post a Reply
  2. Great article, please ad how to extend certificate to 5 years..

    Post a Reply
    • Set the certificate lifetime on the certificate template.

      Post a Reply
  3. Worked well up to the point of getting it signed. Doesn’t seem to like the asterick in the subject name

    Microsoft Active Directory Certificate Services — ServerName Home

    Certificate Request Denied

    Your certificate request was denied.

    Your Request Id is 0. The disposition message is “Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439)”.

    Contact your administrator for further information.

    ————–

    Windows Server 2008R2 certificate services may be the issue but not sure. Have you ran across this?

    Post a Reply
    • I’ve not, check all the tributes on your cert request, in case you have entered something incorrect (i.e. more than two letters in the country code.) Also you see that error if the CN matches the CA name?

      Post a Reply
  4. followed your steps. IE and chrome and edge all say “DLG_FLAGS_SEC_CERT_CN_INVALID”.

    which is the exact same result i got earlier from simply requesting a “Common Name=*.domain.com” certificate of the “web server” template with the gui MMC console.

    Post a Reply
    • Do you trust the RootCA and all the intermediate CAs (if there are any?)

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *