SSTP as you know requires a machine certificate to be installed on the VPN server.
Most of the times, when the administrators need this machine certificate, they can configure a CA Server and get the certificates from this CA. But for this to work, the CDPs (CRL Distribution Point) need to be published on some server located on the Internet so that the client machines can access it for doing the Certificate Revocation Check during the SSL phase.
If you don't plan to deploy your own CA as well as CDP servers, you can obtain a machine certificate from a third party Certificate Authority.
These third party Certificate Authorities need a Certificate Request file to generate the Certificate requested.This blog is going to tell about how to generate this Certificate Request file on the Windows Server 2008 machine.
Here are the steps to generate the Certificate Request File.
- Go to any Windows Server 2008.
- Open MMC.
- Add the Certificate Snap-in for the “Computer Account”.
- Now, do a right click on the “Peronal” and select “All tasks”->”Advanced Operations”->”Create custom request” as shown below:-
- You will see the following GUI :-
Press “next” on this GUI. You will get the following GUI:-
Press Next on this window. Now, you will get the following GUI which will be used to configure the various properties of the Certificate:-
Click on the “Details” tab which will show the “Properties” tab. Click on this “Properties” tab to set the properties of this Certificate. This will pop up the following new GUI:-
Enter the Certificate’s Friendly name and description of your choice. Sample name and description are entered above.
Press on the “Subject” tab present at the top of this window.. You will see the following GUI:-
On this window, you will need to specify the Subject name of the certificate. Select “Type” as “Common Name” in the Subject Name and then enter the name of the Certificate in the “Value” field. In the above sample, I have entered the IP address of the SSTP Server. You can specify any name also here. Now Press “Add” button.
Now click on the “Extensions” tab present at the top of this window.. You will see the following window:-
In this window, click in front of the “Extended Key Usage (application policies)”. You will have to select the EKU (Extended Key Usage) of the Certificate. This will be “Server Authentication” for SSTP. Select “Server Authentication” and then Press “Add” button.
Now Click on the “Private Key” present at the top of this window. You will see the following window:-
Here, click in front of “Key Options” and then Check the “Make private key exportable”. Press “Apply” button and then Press the “OK” button.
Now press “Next”. You will be shown the following window where you will have to specify the path of the Certificate Request file :-
After specifying the name and path of the certificate request file, press “Finish” button.
A Certificate Request File will be generated in the location you have specified above.
- If you open it with Notepad, it will somewhat look like as follows:-
-----BEGIN NEW CERTIFICATE REQUEST----- MIIChjCCAe8CAQAwFzEVMBMGA1UEAwwMMTAuMTMxLjEwLjEyMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC3unAcoIxAx+y5xWB7NXhZlJlvfWes30w9FFmnlpXp RR56FyQLmtc1H4KtEY/UJNQ/ud/Bi0VL039WaRnISC18gjAlDhFTNX0H14x55PGy FrX4/0UPdp2opSeI9En8FiPIBYHGP9exjXuLoanWowhluu/pXtdL/vZZzAOxliEG wQIDAQABoIIBLTAaBgorBgEEAYI3DQIDMQwWCjYuMC42MDAxLjIwRQYJKwYBBAGC NxUUMTgwNgIBBQwMc3JhLXN0cmVzcy00DBpTUkEtU1RSRVNTLTRcQWRtaW5pc3Ry YXRvcgwHTU1DLkVYRTBgBgkqhkiG9w0BCQ4xUzBRMBMGA1UdJQQMMAoGCCsGAQUF BwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFPvbYdsW c5+59cqXEi9cmQDsnaqPMGYGCisGAQQBgjcNAgIxWDBWAgEAHk4ATQBpAGMAcgBv AHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBn AGUAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADgYEAMVbeX7Nm UqRusxQmvKX0OFsfHCRYqGGI73REiKkVskh+Cl1yjgIK0zx14Fzm3Y5PDz8iaKrS No/jTCPUG4voyjYPFB4YaP2ARBI+InO/a62U9oNYazxzSHmellW9C8PHOs7EtzIu kFMwB+DxcJ1hGdcCzZMw/fYK2qS6nxmYZHU= -----END NEW CERTIFICATE REQUEST-----
You will have to make use of this certificate request content to generate the certificate on the Public Certificate Authority.
Amit Kumar Software Design Engineer/Test (firstname.lastname@example.org**), RRAS, Windows Enterprise Networking, Microsoft.
** Remove the "online" to actually email me
[This posting is provided "AS IS" with no warranties, and confers no rights.]
Excellent post! I didn't know about this very cool advanced feature in the Certificates MMC.