Request Internal Certificate from CA Server

In last post Set Up Automatic Certificate Enrollment we walked through the steps for completing automated certificate enrollment.

In this post I will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

Create Web Server Certificate Template for SSL Certs

Connect to the Enterprise CA and open the Certification Authority console.

Expand the certification authority so that you can see Certificate Templates. Right-click Certificate Templates and then click Manage.

caa-1

In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template.

caa-2

If you are prompted to select a template version, select Window Server 2008 R2 and then click OK.

caa-3

caa-4

In the General tab, under Template display name, type a name that you want to use for the template. For example, Lab Certs. Change the validity period as per your config.

caa-5

On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox.

caa-6

On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
caa-7

Close the Certificate Templates console and return to the Certificate Authority console.

In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

caa-8

In the Enable Certificate Templates dialog box click the new certificate template that you created and then click OK.

caa-9

Complete an Internal Certificate Request

Launch IIS Manager and click on Server Certificates and click on Open feature.

ca-37

On the right, click on Create Certificate Request.

ca-38.PNG

Enter the fields in the request template.

ca-39

Leave the cryptographic service provider to default and change the key Bit Length to 4096 and hit next.

ca-40

Save the file to any location you like on the server and hit finish.

ca-41

Logon to your CA server using your browser (http://<CAserver>/certsrv)

1: Select Request a Certificate> Select Advanced Certificate Request.

caa-10

2: In the Certificate Template select Web Server.

3: Copy/paste the contents from your certificate request file (excluding the first and last line “— beginning of new request file —” and “— end of new request file —“).

caa-11

4: Save your certificate output as Base 64 encoded  CER-file.

caa-12

5: From within IIS, select Complete Certificate Request.

caa-132.PNG

caa-133.PNG

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

4 Comments

Add a Comment