After days of trying in vain to get to grips with Microsoft CA issued certificates in Snom ONE and its predecessor pxbnsip I've managed to get this working happily as I'm likely to need this info again in about two years when my certificate expires and in the hope that this might help keep some other domain admins hair in place here is a step by step guide to using CA issued certificates with Snom ONE.
Hope that this helps.
Regards
Mike Hurley
On the certificate server
Open Certification Authority
Right Click Certificate Templates and Select Manage
In the Certificate Templates Console
Locate the Web Server Template, Right Click and Duplicate
Rename to "Web Server with Export Private Key"
Request Handling Tab Set:
Minimum Key Size to 1024
Check the "Allow Private Key to be exported"
Return to the Certification Authority Console
Right Click the Certificate Templates
Select "New" "Certificate Template to Issue"
Select "Web Server with Export Private Key"
Restart the Active Directory Certificate Services Service
On the Snom ONE server
Open web browser and navigate to https://CertificateServer/certsrv
Log in with Domain Administrator rights
Select "Request a certificate"
Select "Advanced certificate request"
Select "Create and submit a request to this CA"
From the Certificate Template dropdown select "Web Server with Export Private Key"
Name: fully qualified name of the Snom ONE server
Email: email address used by the Snom ONE server
Fill in Company, Department, City, State and Country/Region as per your Certificate requirements (note that Countries are ISO country codes eg GB for United Kingdom)
Ensure that "Mark keys as exportable" is selected
Submit your request
Select "Install this certificate"
Close your web browser
Run MMC
Add the Certificates snap-in to the console twice - once for "My user account" and once for "Computer
Account" selecting the local computer account
Expand the Certificates for the "Current User" and then the "Personal" Store
Also expand the Certificates for the "Local Computer"
You will find the certificate that you have just had issued in the Personal Store, drag and drop this to the "Local Computer" "Personal" node
From the Local Computer Personal Certificates node Right Click the certificate and select "All tasks" "Export" follow the wizard to export the certificate ensuring that you export the private key. Note: You can ONLY export as PKCS #12. Save the certificate to the root of the C drive (less typing later)
Close the MMC console
Download and install openssl for Windows (you only need the binaries installed) google for the latest version - sourceforge usually have a copy
Open a DOS prompt (with Administrator Rights)
Navigate to the installation location of openssl (C:\Program Files (x86)\GnuWin32\bin)
Export the Private Key from the pfx file:
openssl pkcs12 -in C:\Certificate.pfx -nocerts -out C:\Key.pem
Export the Certificate File from the pfx file:
openssl pkcs12 -in C:\Certificate.pfx -clcerts -nokeys -out C:\Cert.pem
Remove the Passphrase from the Private Key
openssl rsa -in C:\Key.pem -out C:\Server.key
In the Snom ONE System Administrator Console go to Settings Certificate Select either "Domain Certificate Chain and Private Key" or "Server Certificate Chain and Private Key" as applicable
Open C:\Cert.pem with Notepad and paste from "-----BEGIN CERTIFICATE
to "END CERTIFICATE-----" into the "Certficate Box
Then open C:\Server.key and paste the entire contents to the Private Key box
Click the Save button and the certificates should appear in the list of certificates and private keys at the top of the screen.
For security permanently delete (not recycle) the Certificate.pfx, Key.pem, Cert.pem and Server.key files from the root of the server. Also delete the "Web Server with Export Private Key" template from your CA server.
