Ssl – ‘Certificate types are not available’ When creating computer certificate

certificateencryptionSecuritysslwindows-server-2008

Environment

Windows Server 2008 sp1
Xeon CPU E5430 @ 2.66 GHz
16.0 GB Ram
64-bit Operating System
1TB Disk Space

Server Role: SQL Server
Other Information: Joint to domain, Logged in user domain administrator

Issue

Steps that cause issue:

Create a computer certificate using mmc snap-in 'certificates' by right clicking on 'Certificates' folder Under 'root\Personal' tree, and clicking All Tasks -> Request New Certificate. Certificate Enrollment window appears, you verify you are connected to your network and you are logged onto the domain. Then Click Next, which leads to a window stating the issue:

"Certificate types are not available"

"You cannot request a certificate this time because no certificate types are available. If you need a certificate contact your administrator."

Wanted Solution

Create a certificate on this server, to implement SSL connection to MSSQL servers.

Best Answer

You are following the right steps (http://support.microsoft.com/kb/316898/en-us), but the error likely means that you either have no enterprise certificate authority (CA) in the domain, or the CA is not accepting new certificate requests for some reason. It may also be that your installed CA is not allowing generation of "Computer" certificate types. This can be checked in the CA configuration.

The solution depends on whether you already have an enterprise CA set up and configured. If not then you need to create one (there is guidance on the Microsoft technet site, but it's not trivial) or else use another way of generating self-signed SSL certificates such as one of the free downloadable tools.

Related Solutions

How to generate a certificate request on Windows Server 2008 for SqlServer 2008 w/o IIS installed

Use OpenSSL. It's a command line based utility that'll generate your CSR for you. It's a 2 liner, literally! Creating your key, and then creating the CSR with that key.

1. Key Generation

openssl genrsa -des3 -out filename.key 2048

This command should create a file with name filename.key in the directory from which the > command is ran. The output will be similar to:

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for filename.key: 
Verifying - Enter pass phrase for filename.key:

Choose and enter a passphrase for filename.key and remember it because it will be needed later. Successful outcome of this use case is the key file generation. File filename.key can be viewed by using Notepad on Windows or text editor on Unix/Linux.

2. CSR Generation

openssl req -new -key filename.key -out filename.csr

where filename.key is the file generated previously. This command should create a file filename.csr that contains Certificate Signing Request. The output will look similar to:

Enter pass phrase for filename.key:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.

This procedure should create file filename.csr that contains CSR in PKCS#10 format. This CSR needs to be delivered to the CA administrator.

Successful outcome of this use case is CSR file generation. File filename.csr can be viewed by using Notepad on Windows or text editor on Unix/Linux. The content of the file should be similar to:

-----BEGIN CERTIFICATE REQUEST-----

MIIB/TCCAWYCAQAwgYExCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENv
bHVtYmlhMRIwEAYDVQQHEwlWYW5jb3V2ZXIxETAPBgNVBAoTCFRlc3QgT3JnMRUw
...snip...

Windows – Wildcard certificate with SAN

When a subject alternative name is in place, the common name (edit: from the subject) is no longer used. Solution: Add the wildcard name to the list of subject alternative names.

Best Answer

Related Solutions

How to generate a certificate request on Windows Server 2008 for SqlServer 2008 w/o IIS installed

Windows – Wildcard certificate with SAN

Related Topic