Getting Certificate from third party Certificate Authorities for SSTP

SSTP as you know requires a machine certificate to be installed on the VPN server.

Most of the times, when the administrators need this machine certificate, they can configure a CA Server and get the certificates from this CA. But for this to work, the CDPs (CRL Distribution Point) need to be published on some server located on the Internet so that the client machines can access it for doing the Certificate Revocation Check during the SSL phase.

If you don't plan to deploy your own CA as well as CDP servers, you can obtain a machine certificate from a third party Certificate Authority.

These third party Certificate Authorities need a Certificate Request file to generate the Certificate requested.This blog is going to tell about how to generate this Certificate Request file on the Windows Server 2008 machine.

Here are the steps to generate the Certificate Request File.

- Go to any Windows Server 2008.

- Open MMC.

- Add the Certificate Snap-in for the “Computer Account”.

- Now, do a right click on the “Peronal” and select “All tasks”->”Advanced Operations”->”Create custom request” as shown below:-

CertReq1

- You will see the following GUI :-

CertReq2

Press “next” on this GUI. You will get the following GUI:-

CertReq3

Press Next on this window. Now, you will get the following GUI which will be used to configure the various properties of the Certificate:-

CertReq4

Click on the “Details” tab which will show the “Properties” tab. Click on this “Properties” tab to set the properties of this Certificate. This will pop up the following new GUI:-

CertReq5

Enter the Certificate’s Friendly name and description of your choice. Sample name and description are entered above.

Press on the “Subject” tab present at the top of this window.. You will see the following GUI:-

CertReq6

On this window, you will need to specify the Subject name of the certificate. Select “Type” as “Common Name” in the Subject Name and then enter the name of the Certificate in the “Value” field. In the above sample, I have entered the IP address of the SSTP Server. You can specify any name also here. Now Press “Add” button.

Now click on the “Extensions” tab present at the top of this window.. You will see the following window:-

CertReq7

In this window, click in front of the “Extended Key Usage (application policies)”. You will have to select the EKU (Extended Key Usage) of the Certificate. This will be “Server Authentication” for SSTP. Select “Server Authentication” and then Press “Add” button.

Now Click on the “Private Key” present at the top of this window. You will see the following window:-

CertReq8

Here, click in front of  “Key Options” and then Check the “Make private key exportable”. Press “Apply” button and then Press the “OK” button.

Now press “Next”. You will be shown the following window where you will have to specify the path of the Certificate Request file :-

CertReq9

After specifying the name and path of the certificate request file, press “Finish” button.

A Certificate Request File will be generated in the location you have specified above.

- If you open it with Notepad, it will somewhat look like as follows:-

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIChjCCAe8CAQAwFzEVMBMGA1UEAwwMMTAuMTMxLjEwLjEyMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC3unAcoIxAx+y5xWB7NXhZlJlvfWes30w9FFmnlpXp
RR56FyQLmtc1H4KtEY/UJNQ/ud/Bi0VL039WaRnISC18gjAlDhFTNX0H14x55PGy
FrX4/0UPdp2opSeI9En8FiPIBYHGP9exjXuLoanWowhluu/pXtdL/vZZzAOxliEG
wQIDAQABoIIBLTAaBgorBgEEAYI3DQIDMQwWCjYuMC42MDAxLjIwRQYJKwYBBAGC
NxUUMTgwNgIBBQwMc3JhLXN0cmVzcy00DBpTUkEtU1RSRVNTLTRcQWRtaW5pc3Ry
YXRvcgwHTU1DLkVYRTBgBgkqhkiG9w0BCQ4xUzBRMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFPvbYdsW
c5+59cqXEi9cmQDsnaqPMGYGCisGAQQBgjcNAgIxWDBWAgEAHk4ATQBpAGMAcgBv
AHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBn
AGUAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADgYEAMVbeX7Nm
UqRusxQmvKX0OFsfHCRYqGGI73REiKkVskh+Cl1yjgIK0zx14Fzm3Y5PDz8iaKrS
No/jTCPUG4voyjYPFB4YaP2ARBI+InO/a62U9oNYazxzSHmellW9C8PHOs7EtzIu
kFMwB+DxcJ1hGdcCzZMw/fYK2qS6nxmYZHU=
-----END NEW CERTIFICATE REQUEST-----

 

You will have to make use of this certificate request content to generate the certificate on the Public Certificate Authority.

Thanks,

Amit Kumar
Software Design Engineer/Test (amkuma@online.microsoft.com**),
RRAS, Windows Enterprise Networking, Microsoft.

** Remove the "online" to actually email me

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 08, 2008
    Excellent post! I didn't know about this very cool advanced feature in the Certificates MMC. Thanks! Tom