Creating a CSR and submitting it to the CA for a certificate is the easy part.
My question is as follows:
The Microsoft CA (internal) has multiple templates available, the templates serve various purposes such as client authentication, server authentication, code signing etc. (key usage, application policies). Which template should be used when submitting the certificate request to the CA? Also do we need multiple certificaes for a two-node cluster?
Is there any documentation about the requirements for SSL certs?
i'll share a bit from my internal DOC... haven't tested it recently, and i think it can be a bit more optimised from the current steps, use on your own risk:
"Server Authentication Certificate" is the right Microsoft CA Template. Create it with exportable key, SHA1, 2048 bit or larger key size.
After it saved by the MS enrolment process. Export the cert witht the key from the personal store MMC, convert using openSSL for windows package or on Linux device with the following commands (Do NOT use public websites) :
Those steps did help in answering a nagging question about the template.
However, I did not use openssl for the conversion. Using certreq I was able to request the certificate in base64 and load it onto our filer.
Also used certutil -dump command to analyze the self-signed certificate which is compliant with ISIS-MTT version 1.1 and thus it kept showing "Certificate Signing, Off-line CRL Signing, CRL Signing" under key usage.