Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!
Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.
Proceed without enrolment policy > Next.
In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.
Details > Properties.
General Tab: Friendly Name > *.{your domain}.
Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.
Extensions Tab: Add in Digital Signature and Key Encipherment.
Private Key: Key Size=4098 > Make private key exportable > Apply > OK.
Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).
Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.
Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.
Advanced Certificate Request.
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste in the Text > Certificate Template = Web Server > Submit.
Base 64 encoded > Download certificate.
Save the certificate, and change its name from certnew > Save.
Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.
Next.
Navigate to the certificate you have just saved.
Next.
Finish.
Hopefully.
Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.
Next
Yes, export the private key > Next.
Personal Information Exchange > Next.
Enter and re-type a password (You will need this to import the certificate so remember it) > Next.
Save it somewhere you can find it > Next.
Finish > OK.
Related Articles, References, Credits, or External Links
For the first time in about ten years I had to deal with EIGRP last week, so I thought I would run it up in a lab. Normally I would use GNS3 but for this procedure I’ll use Cisco Packet Tracer.</p<
In fact I’ll include the files so you can download and use the lab yourself, (if you have a copy of Packet Tracer). And I’ll also include the configs for all the routers.
In the lab I’ve got three sites connected via serial connections, and one of those sites has the Internet connection.
As you can see I’ve used VLSM to split up the 192.168.0.0/24 subnet to create the six networks I need, (three on the sites, and three for the links).
Solution
1. I will start at the beginning with Router R1 in site 1. As you can see I’m going to give the FastEthernet 0/0 interface to the inside network (192.168.0.1/28). I will use Serial 3/0 to connect to Site 2 (192.168.64.2/30), and Serial 2/0 to connect to Site 1 (192.168.68.1/30). I will mirror these three settings around the network (going clockwise) and I will configure all the Serial 2/0 interfaces to set the clock speed for the serial links.
number of 1, then I am adding all the networks that I want this router to advertise (don’t forget to add the subnet that connects each router to its neighbour). When enabled EIGRP will send routing updates onto each of these networks. As you can see from the diagram, this would mean that the router would send routing information onto the LAN. While this wont cause any problems, it does generate traffic that does not need to be on the LAN, so I’ve disabled that by using a passive-interface* command.
*Note: If you have a lot of interfaces you want to be passive, you can ‘swap the logic’ by using passive-interface default and then setting all the interfaces you want to advertise networks out of, as no passive-interface.
I’ve also disabled auto-summary of networks, I’ve seen other pages and blogs that incorrectly say this makes the EIGRP routing protocol classless. EIGRP is classless out of the box! At a basic level network-summary is the process of advertising one route for many networks. This works best for contiguous networks (i.e. 192.168.1.x, 192.168.2.x, etc). But if you let EIGRP auto-summarise for you, then this happens,
Above you can see it has added three more routes to networks that (at the moment) don’t exist, which is fine, but then you can NOT use those subnets in the future. If you did and this router saw that traffic it would send it to Null0 (i.e. drop the traffic). With auto-summary disabled, the routers routing table is a lot cleaner (see below).
The last thing you will notice is that the subnet masks are a little strange, you need to use wildcard masks, these are easy to work out, just subtract each octet of the subnet mask from 255 like so;
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 1
R1(config-router)#passive-interface FastEthernet0/0
R1(config-router)#network 192.168.0.0 0.0.0.15
R1(config-router)#network 192.168.64.0 0.0.0.3
R1(config-router)#network 192.168.68.0 0.0.0.3
R1(config-router)#no auto-summary
R1(config-router)#end
R1#
[/box]
5. Repeat the process for routers R2 an R3.
[box]
Router 2
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 1
R2(config-router)#passive-interface FastEthernet0/0
R2(config-router)#network 192.168.16.0 0.0.0.15
R2(config-router)#network 192.168.64.0 0.0.0.3
R2(config-router)#network 192.168.72.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#end
R2#
Router 3
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 1
R3(config-router)#passive-interface FastEthernet0/0
R3(config-router)#network 192.168.32.0 0.0.0.15
R3(config-router)#network 192.168.72.0 0.0.0.3
R3(config-router)#network 192.168.68.0 0.0.0.3
R3(config-router)#no auto-summary
R3(config-router)#end
R3#
[/box]
6. EIGRP Adding a Route to the Internet
To add in the networks ‘route out’, I need to bring up and configure another interface on router R3 (FastEthernet4/0). Then I will configure that as the default route (GOLR) for that router, and add that new network into the advertised routes.
To get all the other routers to use the static route I’ve just configured on this router, I use the redistribute static command (while in config-router mode).
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface FastEthernet4/0
R3(config-if)#ip address 123.123.123.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 123.123.123.2
R3(config)#router eigrp 1
R3(config-router)#network 123.123.123.120 0.0.0.3
R3(config-router)#redistribute static
R3(config-router)#end
R3#
[/box]
7. Then I will add the ISP (Internet Router). I will also add this to the EIGRPAS group (though I could just use static routing.)
Note: In the lab I don’t have a link to the Internet so I’ll simply use the Loopback interface on the Internet router and give that the 4.2.2.2 IP address.
As a final ‘belt and braces’ approach, I will add a summary route back to the LAN. If you are unsure how to calculate a summary route, simply write your subnets out in binary, and the mask will be the the length from the first to the last bit, that all the subnets have in common, like so;
Summarisation for these networks will be 192.168.0.0/17 (255.255.128.0)