email@example.com Posted November 10, 2010 Report Share Posted November 10, 2010 After days of trying in vain to get to grips with Microsoft CA issued certificates in Snom ONE and its predecessor pxbnsip I've managed to get this working happily as I'm likely to need this info again in about two years when my certificate expires and in the hope that this might help keep some other domain admins hair in place here is a step by step guide to using CA issued certificates with Snom ONE. Hope that this helps. Regards Mike Hurley On the certificate server Open Certification Authority Right Click Certificate Templates and Select Manage In the Certificate Templates Console Locate the Web Server Template, Right Click and Duplicate Rename to "Web Server with Export Private Key" Request Handling Tab Set: Minimum Key Size to 1024 Check the "Allow Private Key to be exported" Return to the Certification Authority Console Right Click the Certificate Templates Select "New" "Certificate Template to Issue" Select "Web Server with Export Private Key" Restart the Active Directory Certificate Services Service On the Snom ONE server Open web browser and navigate to https://CertificateServer/certsrv Log in with Domain Administrator rights Select "Request a certificate" Select "Advanced certificate request" Select "Create and submit a request to this CA" From the Certificate Template dropdown select "Web Server with Export Private Key" Name: fully qualified name of the Snom ONE server Email: email address used by the Snom ONE server Fill in Company, Department, City, State and Country/Region as per your Certificate requirements (note that Countries are ISO country codes eg GB for United Kingdom) Ensure that "Mark keys as exportable" is selected Submit your request Select "Install this certificate" Close your web browser Run MMC Add the Certificates snap-in to the console twice - once for "My user account" and once for "Computer Account" selecting the local computer account Expand the Certificates for the "Current User" and then the "Personal" Store Also expand the Certificates for the "Local Computer" You will find the certificate that you have just had issued in the Personal Store, drag and drop this to the "Local Computer" "Personal" node From the Local Computer Personal Certificates node Right Click the certificate and select "All tasks" "Export" follow the wizard to export the certificate ensuring that you export the private key. Note: You can ONLY export as PKCS #12. Save the certificate to the root of the C drive (less typing later) Close the MMC console Download and install openssl for Windows (you only need the binaries installed) google for the latest version - sourceforge usually have a copy Open a DOS prompt (with Administrator Rights) Navigate to the installation location of openssl (C:\Program Files (x86)\GnuWin32\bin) Export the Private Key from the pfx file: openssl pkcs12 -in C:\Certificate.pfx -nocerts -out C:\Key.pem Export the Certificate File from the pfx file: openssl pkcs12 -in C:\Certificate.pfx -clcerts -nokeys -out C:\Cert.pem Remove the Passphrase from the Private Key openssl rsa -in C:\Key.pem -out C:\Server.key In the Snom ONE System Administrator Console go to Settings Certificate Select either "Domain Certificate Chain and Private Key" or "Server Certificate Chain and Private Key" as applicable Open C:\Cert.pem with Notepad and paste from "-----BEGIN CERTIFICATE to "END CERTIFICATE-----" into the "Certficate Box Then open C:\Server.key and paste the entire contents to the Private Key box Click the Save button and the certificates should appear in the list of certificates and private keys at the top of the screen. For security permanently delete (not recycle) the Certificate.pfx, Key.pem, Cert.pem and Server.key files from the root of the server. Also delete the "Web Server with Export Private Key" template from your CA server. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.