Setup & configure a certificate authority on Windows Server 2008

So you host a bunch of internal SharePoint sites, Websites and other internal web applications. You want to secure them with SSL but you cannot afford a certificate from a third party certificate authority right now.  I am going to walk you through installing a new CA, request a certificate, approve a certificate and then install a certificate.

CA Install:

 

Go to start and click on “Server Manager”

Select ”Roles”

 

Click on “Add Roles”

 

Select “Certificate Services” and click next

 

I typically choose “Certification Authority” and “Certification Authority Web Enrollment” and click next

NOTE: I choose the web enrollment so I can request certificates and download them from the web browser.

 

I chose “Stand Alone” on the next screen

NOTE: You can choose “Enterprise” to integrate this CA with active directory. I chose not to in my setup.

 

This is the first Certificate Authority so choose “Root CA” then click next

 

 

Choose “Create new Private Key” then click next

 

Leave the default unless your needs require you to choose another type of security. Click next

 

Give your CA a name and click next

 

Set the validity period (This is the number of years for which your CA’s certificates are valid before it expires) I chose 10 years. Click next when you are done setting this

  

This next screen shows you where the certificate databases will be located. Click next

 

Click Install

 

Now your Certificate Authority will be installed.

To Request a Certificate:

 

Go to your new Certificate Authority website and click on “Request a certificate”

NOTE: The CA website URL is: http://SERVERNAME/certsrv/

 

Choose Web Browser Certificate

 

If you are on Windows Vista or Windows 7 you may get the following error

 

To get past this error in internet Explorer select Tools>>Internet Options>>Security then choose the zone you need. For me this was Local intranet. Now select the “Custom Level…” button and look for “Initialize ActiveX unsafe for scripting”. You need to enable this.

Now close and reopen your browser

Now when you go to request a certificate you will not get the above error. You will get the below prompt. Click yes on it. 

 

Now you will be able to fill out the information to submit a certificate request.

 

To approve the certificate request:

 

Log onto the CA server

Go to Start >> Programs >> Administrative Tools >> Certification Authority

 

Expand the CA and you will see pending requests

 

Right click on the pending certificate and select Issue

 

That is it now your certificate is ready to be used.

To install the approved certificate:

 

Go back to the certificate site (http://SERVERNAME/certsrv/) and click on “View the status of a pending certificate request”

 

On the next screen click on the certificate that you requested

 

Now click on “Install this certificate”.

 

That is it. Your new certificate should now be installed.

Fore more info about Certificate Services visit:

5 comments to Setup & configure a certificate authority on Windows Server 2008

  • leslie  says:

    hie

    would you have nay idea why I dont have the option “Choose Web Browser Certificate” under select certificate type?? the only link that I have there is user certificate?? is there another way to do this??…..

    thanks for your reply
    Leslie

  • sbuchanan  says:

    Hi Leslie,

    Is the “Web Browser Certificate” not showing up when you go to request the certificate or go to install it?

    If it is when you go to install it did you make sure that when you requested the certificate did you chose the “Web Browser Certificate” option?

    Thanks

  • leslie  says:

    yes the web browser certificate link is not showing up when I request the certificate.

    I did install certification authority web enrollment. I had had to add the feature later after I had already installed the active directory certificate services.
    so do you know any other way to resolve this issue??

    thanks
    Leslie

  • leslie  says:

    hie

    if you look at the screenshot under “Choose Web Browser Certificate”, I don’t have the options “Web browser certificate” and “Email protection certificate” would you have any idea why?? is there another way to get those options????

    thanks
    Leslie

    • sbuchanan  says:

      Hi Leslie,

      I would suggest uninstalling your CA and re-install it. This time make sure you install Active Directory Certificate Services first and then the Certification Authority and the Certificate Authority Web Enrollment as in the blog post.

      Also did you deploy this as a Enterprise or Standalone CA? In my example I chose Standalone. I recommend you do the same to get the same results.

      If those suggestions do not work I don’t think there is much more help I can provide without seeing your actual server.

      I hope this helps.

Leave a reply