Installing a Windows Domain CA produced certificate

[mike@msdl.co.uk]

After days of trying in vain to get to grips with Microsoft CA issued certificates in Snom ONE and its predecessor pxbnsip I've managed to get this working happily as I'm likely to need this info again in about two years when my certificate expires and in the hope that this might help keep some other domain admins hair in place here is a step by step guide to using CA issued certificates with Snom ONE.

 

Hope that this helps.

Regards

Mike Hurley

 

 

On the certificate server

 

Open Certification Authority

 

Right Click Certificate Templates and Select Manage

 

In the Certificate Templates Console

 

Locate the Web Server Template, Right Click and Duplicate

 

Rename to "Web Server with Export Private Key"

 

Request Handling Tab Set:

Minimum Key Size to 1024

Check the "Allow Private Key to be exported"

 

Return to the Certification Authority Console

 

Right Click the Certificate Templates

Select "New" "Certificate Template to Issue"

Select "Web Server with Export Private Key"

 

Restart the Active Directory Certificate Services Service

 

On the Snom ONE server

 

Open web browser and navigate to https://CertificateServer/certsrv

Log in with Domain Administrator rights

 

Select "Request a certificate"

Select "Advanced certificate request"

Select "Create and submit a request to this CA"

 

From the Certificate Template dropdown select "Web Server with Export Private Key"

 

Name: fully qualified name of the Snom ONE server

Email: email address used by the Snom ONE server

 

Fill in Company, Department, City, State and Country/Region as per your Certificate requirements (note that Countries are ISO country codes eg GB for United Kingdom)

 

Ensure that "Mark keys as exportable" is selected

 

Submit your request

 

Select "Install this certificate"

 

Close your web browser

 

Run MMC

 

Add the Certificates snap-in to the console twice - once for "My user account" and once for "Computer

 

Account" selecting the local computer account

 

Expand the Certificates for the "Current User" and then the "Personal" Store

Also expand the Certificates for the "Local Computer"

 

You will find the certificate that you have just had issued in the Personal Store, drag and drop this to the "Local Computer" "Personal" node

 

From the Local Computer Personal Certificates node Right Click the certificate and select "All tasks" "Export" follow the wizard to export the certificate ensuring that you export the private key. Note: You can ONLY export as PKCS #12. Save the certificate to the root of the C drive (less typing later)

 

Close the MMC console

 

Download and install openssl for Windows (you only need the binaries installed) google for the latest version - sourceforge usually have a copy

 

Open a DOS prompt (with Administrator Rights)

 

Navigate to the installation location of openssl (C:\Program Files (x86)\GnuWin32\bin)

 

Export the Private Key from the pfx file:

openssl pkcs12 -in C:\Certificate.pfx -nocerts -out C:\Key.pem

 

Export the Certificate File from the pfx file:

openssl pkcs12 -in C:\Certificate.pfx -clcerts -nokeys -out C:\Cert.pem

 

Remove the Passphrase from the Private Key

openssl rsa -in C:\Key.pem -out C:\Server.key

 

 

In the Snom ONE System Administrator Console go to Settings Certificate Select either "Domain Certificate Chain and Private Key" or "Server Certificate Chain and Private Key" as applicable

 

Open C:\Cert.pem with Notepad and paste from "-----BEGIN CERTIFICATE

to "END CERTIFICATE-----" into the "Certficate Box

 

Then open C:\Server.key and paste the entire contents to the Private Key box

 

Click the Save button and the certificates should appear in the list of certificates and private keys at the top of the screen.

 

For security permanently delete (not recycle) the Certificate.pfx, Key.pem, Cert.pem and Server.key files from the root of the server. Also delete the "Web Server with Export Private Key" template from your CA server.

 

 

 

 

[mattlandis]

Thanks for the community minded post. ;-)

 

Matt