我的學習手記 A technical geek blog: How to install a certificate to a Windows Server 2008 R2 SP1 from a Windows Server 2003 R2 SP1 Standalone CA which is the certificate enrollment Web pages is not patch

How to install a certificate to a Windows Server 2008 R2 SP1 from a Windows Server 2003 R2 SP1 Standalone CA which is the certificate enrollment Web pages is not patch (http://support.microsoft.com/kb/922706/en-us)

Since the Windows Server 2008 R2 cannot download and install the Root CA certificates and also request a client certificates from a Windows Server 2003 R2 SP1 Standalone CA which is the certificate enrollment Web pages is not patched.

We will need a Windows XP (Or Windows Server 2003) machine to complete the task.

Download the Root CA certificates

1: On a Windows XPstart the Internet Explorer
2. Go to the certificate server website (in our case http://abc....../certsrv)
3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
5. Once the certificate is downloaded, copy it to the unmanaged Windows Server 2008 R2 (Our target monitored server)

6. Login the unmanaged Windows Server 2008 R2

7. Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
8. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

Request the unmanaged Windows Server client certificates and installation

1. start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)
3. Click on Request a certificate, choose Advanced certificate request next click

Create and submit a request to this CA

On the Advanced Certificate Request page, do the following:

Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information.

Note

Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name.

Under Type of Certificate Needed:
Click the list, and then select Other.
In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
Under Key Options, make the following selections:
Click Create a new key set
In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0
Under Key Usage, select Both
Under Key Size, select 1024
Select Automatic key container name
Select Mark keys as exportable
Clear Export keys to file (not required for Windows Server 2008 AD CS)
Clear Enable strong private key protection
Click Store certificate in the local computer certificate store.
Under Additional Options:
Under Request Format, select CMC
In the Hash Algorithm list, select SHA-1
Clear Save request to a file
In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for.
Click Submit.
If a Potential Security Violation dialog box is displayed, click Yes.
When a Certificate Pending page displays, close the browser.

To approve the pending certificate request

Log on to the computer hosting Certificate Services as a certification authority administrator.
On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In Certification Authority, expand the node for your certification authority name, and then click Pending Requests.
In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.
Click Issued Certificates, and confirm the certificate you just issued is listed.
Close Certification Authority.

To retrieve the certificate

Log on to the computer where you want to install a certificate (for example, the gateway server or management server).
Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request.
On the View the Status of a Pending Certificate Request page, click the certificate you requested.
On the Certificate Issued page, click Install this certificate.
In the Potential Scripting Violation dialog box, click Yes.
On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser.

On Windows XP

Step 4: Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)

Step 5: Go to Personal, select the client certificate which is you just installed right click, all tasks, export -> “Personal Information Exchange - PKCS #12 (.PFX)

In the new wizard kill “Next”
Select “Yes , Export the private key”
Click “Next”
Select “Personal Information Exchange – PKCS #12 Certificates (PFX)”
Select “Enable Strong protection (requires IE5.0, NT4 SP4 or above)”
Click “Next”
Type a password for the certificate twice and kill “Next”
Select “Browse” c:\serverFQDN.pfx”
Click “Next”
Check the export information and if correct kill “Finish”
Click “OK” to finish the export

Save the .pfx on desktop and copy it to the unmanaged Windows Server 2008 R2

Install the Client certificates on unmanaged Windows Server 2008 R2

Login the Windows Server 2008 R2
On the start menu kill “Start” and “Run”
Type “cmd”
Navigate to > cd “program files\System Center Operations Manager 2007\Supportools\i386”
Type >MOMcertimport.exe “c\:servername.domain.com.pfx” or “c:\servername.pfx”
Type the asked password for the certificate import and press “Enter”.
The certificate is now imported in OpsMgr 2007.
Restart the “OpsMgr Health Service” on the server.