[Today’s post is brought to you by Carol Bailey]
I’m going to share some information about an option on the Certificate Services advanced Web enrollment page, because I couldn’t find it documented anywhere and it took me a long time to work it out. However, even though I’m explaining how to use this option, I strongly recommend you never do unless your PKI admins insist. Why? Because it explains how to request a certificate using an existing key. It’s the same option that you see in the Certificates MMC when you right-click a certificate and see Request Certificate with Same Key.
Disclaimer: The procedures in this post are external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation. However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.
It’s always more secure to create a new key set rather than request a certificate with the same key. I’m told that some applications might be configured to use a specific key, especially if you’re using a hardware-based CSP – but this will not be case for the majority of customers. However, if you do want to use an existing key for a new site server signing certificate, you’re out of luck if you’re expecting to do this with the Certificates MMC that ships with Windows Server 2003. That’s because this version of the Certificates MMC cannot support the Supply in the request option that’s needed for the custom string in the certificate Subject. So once again, Web enrollment comes to the rescue with the option Use existing key set. Select this and a new field appears as shown in the picture: Container Name.
I hadn’t come across this field before, because I had never created a certificate with an existing key. The customer had no idea what to put here and I couldn’t find any information about this field on the Internet or in my PKI books. The Web page is clever enough to tell you when you enter an invalid value, but gives you no clue how to find the value that you need to specify for the key container – as you will see from the error message below when I tried supplying some educated guesses:
When you select Request Certificate with Same Key from the Certificates MMC, you don’t have to supply this information – it’s retrieved for you automatically. But with Web enrollment, you have to find this information yourself and then specify it. To do this, follow these steps:
1. Using the Certificates MMC, locate the site server signing certificate (or another certificate that’s using the key you want to reuse), double-click it, click the Details tab, and then make a note of the serial number of the certificate.
2. On the computer that’s installed this certificate, run the following command and send the output to a text file: certutil -store -v My <serial_number>
3. Open the text file and look for the long number after Key Container= and then copy this to the clipboard.
4. In the Web enrollment page, paste the long number into the Container Name field.
1. My site server signing certificate serial number is 11 54 a7 1d 00 00 00 00 00 07.
2. From a command prompt, I type in the following: certutil -store -v My 1154a71d000000000007 >output.txt
3. I open output.txt with Notepad and search for Container Name – in my case I find b759e34928886fea1ec1bc7beacc5e80_016106cf-c351-4ab3-a3f1-7e56916dae0b – as shown in the picture below.
4. I copy this string of numbers and paste them into the Container Name field in the Web enrollment page.
When the certificate request has gone through and the new certificate is installed, how do you check that it is actually using the same key? Modify the previous procedure as follows:
1. Find the new serial number using the Certificates MMC again. If you supplied the same certificate details and are not sure which is the new certificate, use the Valid from and Valid to fields in the Details tab to identify the latest timestamps.
2. Run the same certutil command but with the new serial number, sending the output to a new file.
3. Open both text files and search for Container Name – they should have the same long number, showing that they’re using the same key set.
Note that selecting the option to use an existing key set using the Web enrollment page does not renew an existing certificate – it creates a new certificate with an existing key. So how do you renew an existing certificate for the site server signing certificate when it’s on Windows Server 2003 and you can’t use Web enrollment? That’s the subject of my next blog post: How to Renew the Site Server Signing Certificate (Microsoft Certificate Services).
This posting is provided “AS IS” with no warranties, and confers no rights.