I am trying to submit a request for an SSL certificate on a Domain Controller in order to enable LDAP SSL, and having no end of problems.
I am following the information provided at http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 & http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
Steps taken so far:
-
Create Servername.inf with the following information
;—————– request.inf —————–
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=servername.domain.loc" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;———————————————–
-
Create Certificate request by running: certreq -new Servername.inf Servername.req
- Attempt to submit Certificate request to CA by running: certreq -submit -attrib "CertificateTemplate: DomainController" request.req
- At which point I get the following error:
The DNS name is unavailable and cannot be added to the Subject Alternate Name.
0x8009480f (-2146875377)
Trouble shooting steps I have taken so far
1. Modify the Domain Controller Template to supply Subject Name in Request restart Certificate Service, include SAN in Request, same error.
2. Re-installed Certificate Services / IIS / Restarted machine countless times
Any help resolving the issue would be greatly appreciated.
Best Answer
Check in the Active Directory for servername.domain.loc's entry. Look at its properties, check its DNS name attribute. If it is empty, add the DNS name.