Jump to content

Installing a Windows Domain CA produced certificate


Recommended Posts

After days of trying in vain to get to grips with Microsoft CA issued certificates in Snom ONE and its predecessor pxbnsip I've managed to get this working happily as I'm likely to need this info again in about two years when my certificate expires and in the hope that this might help keep some other domain admins hair in place here is a step by step guide to using CA issued certificates with Snom ONE.


Hope that this helps.


Mike Hurley



On the certificate server


Open Certification Authority


Right Click Certificate Templates and Select Manage


In the Certificate Templates Console


Locate the Web Server Template, Right Click and Duplicate


Rename to "Web Server with Export Private Key"


Request Handling Tab Set:

Minimum Key Size to 1024

Check the "Allow Private Key to be exported"


Return to the Certification Authority Console


Right Click the Certificate Templates

Select "New" "Certificate Template to Issue"

Select "Web Server with Export Private Key"


Restart the Active Directory Certificate Services Service


On the Snom ONE server


Open web browser and navigate to https://CertificateServer/certsrv

Log in with Domain Administrator rights


Select "Request a certificate"

Select "Advanced certificate request"

Select "Create and submit a request to this CA"


From the Certificate Template dropdown select "Web Server with Export Private Key"


Name: fully qualified name of the Snom ONE server

Email: email address used by the Snom ONE server


Fill in Company, Department, City, State and Country/Region as per your Certificate requirements (note that Countries are ISO country codes eg GB for United Kingdom)


Ensure that "Mark keys as exportable" is selected


Submit your request


Select "Install this certificate"


Close your web browser




Add the Certificates snap-in to the console twice - once for "My user account" and once for "Computer


Account" selecting the local computer account


Expand the Certificates for the "Current User" and then the "Personal" Store

Also expand the Certificates for the "Local Computer"


You will find the certificate that you have just had issued in the Personal Store, drag and drop this to the "Local Computer" "Personal" node


From the Local Computer Personal Certificates node Right Click the certificate and select "All tasks" "Export" follow the wizard to export the certificate ensuring that you export the private key. Note: You can ONLY export as PKCS #12. Save the certificate to the root of the C drive (less typing later)


Close the MMC console


Download and install openssl for Windows (you only need the binaries installed) google for the latest version - sourceforge usually have a copy


Open a DOS prompt (with Administrator Rights)


Navigate to the installation location of openssl (C:\Program Files (x86)\GnuWin32\bin)


Export the Private Key from the pfx file:

openssl pkcs12 -in C:\Certificate.pfx -nocerts -out C:\Key.pem


Export the Certificate File from the pfx file:

openssl pkcs12 -in C:\Certificate.pfx -clcerts -nokeys -out C:\Cert.pem


Remove the Passphrase from the Private Key

openssl rsa -in C:\Key.pem -out C:\Server.key



In the Snom ONE System Administrator Console go to Settings Certificate Select either "Domain Certificate Chain and Private Key" or "Server Certificate Chain and Private Key" as applicable


Open C:\Cert.pem with Notepad and paste from "-----BEGIN CERTIFICATE

to "END CERTIFICATE-----" into the "Certficate Box


Then open C:\Server.key and paste the entire contents to the Private Key box


Click the Save button and the certificates should appear in the list of certificates and private keys at the top of the screen.


For security permanently delete (not recycle) the Certificate.pfx, Key.pem, Cert.pem and Server.key files from the root of the server. Also delete the "Web Server with Export Private Key" template from your CA server.





Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...