All of the steps are completed on the web server. None of them are performed on the machine that is the certificate authority.
Create Certificate - Windows Server 2016+ and Windows 10
- Start -> Manage computer certificates
- Expand Personal
- Right-click Personal → Certificates, All Tasks → Request New Certificate...
- Next
- Next
- Under "Active Directory Enrollment Policy" check "Computer"
- Click the arrow next to "Details"
- Click Properties
- General tab
- Friendly name: ex: myserver.mydomain.local
- Subject tab
- Subject name:
- Type: Common Name
- Value: FQDN of server, ex: myserver.foray.local
- Add
- Alternative name:
- Type: DNS
- Value: FQDN of server, ex: myserver.foray.local
- Add
- Subject name:
- Private Key tab
- Click “Key options” arrow
- Key size: 2048
- Check "Make private key exportable"
- Click “Key options” arrow
- OK
- Enroll
Now is a good time to make sure that Certificate Auto-enrollment setup so that the certificate will auto-renew rather than expire taking the app/site down.
Continue with Assign Certificate to Website
Create Certificate - Windows Server pre-2016 and Windows 7
Create a Certificate Signing Request (CSR)
Open the Certificates Snap-in
- On the web server
- Windows-R (run dialog)
- Enter mmc.exe
- Click OK
- File->Add/Remove Snap-in…
- Select “Certificates”
- Click Add
- Select “Computer account”
- Next
- Select “Local computer”
- Click Finish
- Click OK (to close Add/Remove Snap-ins
Request a Certificate
- Expand Certificates in the MMC Console and select Personal
- Right-click on Personal->All Tasks->Advanced Operations->Create Custom Request…
- Next
- Select “Proceed without enrollment policy”
- Next
- Template: (No template) CNG key
- Request format: PKCS #10
- Next
- Click arrow next to Details
- Click Properties
- General tab
- Friendly name: ex: myserver.mydomain.local
- Subject tab
- Subjet name:
- Type: Common Name
- Value: FQDN of server, ex: myserver.foray.local
- Add
- Alternative name:
- Type: DNS
- Value: FQDN of server, ex: myserver.foray.local
- Add
- Subject name:
- Alternative name:
- Extensions tab
- Key usage
- Click “Key usage” arrow
- Available options: Digital signature, Add
- Available options: Key encipherment, Add
- Extended Key Usage
- Click “Extended Key Usage (application policies)” arrow
- Available options: Server Authentication, Add
- Available options: Client Authentication, Add
- Private Key tab
- Click “Cryptographic Service Provider” arrow
- Verify that “RSA, Microsoft Software Key Storage Provider” is checked
- Click “Key options” arrow
- Key size: 2048
- Click “Select Hash Algorithm” arrow
- Hash Algorithm: sha256
- Click OK
- Click Next in Certificate Enrollment window
- File Name: ex: C:\Temp\myserver.mydomain.local.csr
- NOTE: If the full path isn’t put in the field then the file will be saved to C:\Windows\system32\
- File format: Base 64
- Click Finish
Sign the Certificate
Sign the CSR File
- Still on the web server
- Open a command prompt or powershell as an administrator (Run as administrator)
- cd into the directory with the CSR
- Run the following command
certreq -submit -attrib "CertificateTemplate:WebServer" <CSR FILE NAME>
Ex:certreq -submit -attrib "CertificateTemplate:WebServer" "myserver.mydomain.local.csr"
- A “Select Certification Authority” dialog will appear. Choose the CA that should sign the certificate and click OK.
- A “Save Certificate” dialog will appear. Enter a file name. Ex: myserver.domain.local.cer
- Click Save
- The output should include “Certificate retrieved(Issued) Issued”
- A .cer file will be created
- Copy this file to the web server
Submitting new request does not work
In Certificate Authority, when performing Action->All Tasks->Submit new request…
The following error will occur after selecting a certificate request (CSR) generated via IIS
---------------------------
Certificate Request Processor
---------------------------
The request contains no certificate template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
This is why the “Sign a CSR” command line steps are provided.
Complete Certificate Request
- On the web server
- Run IIS as administrator (right-click Run as administrator)
- Select the server
- In the IIS section of Features View open Server Certificates
- Click “Complete Certificate Request…”
- Select the .cer file
- Friendly name: a name to identify the certificate, ex: myserver.domain.local
- Select a certificate store for the new certificate: Personal (yes, Personal)
- Click OK
Assign Certificate to Website
- Select the website, ex: Default Web Site
- Click Bindings…
- Click Add…
- Select: https
- IP address: All Unassigned or the IP of the site
- Port: 443
- Host name: leave this blank
- SSL certificate: select the certificate competed above
- Click OK
- Click Close
- Test the certificate by going to the root of the server in both IE and Chrome or Firefox
Ex: https://myserver.mydomain.local - Test Adams Web and/or Adams Admin as appropriate
Ex: https://myserver.mydomain.local/AdamsWeb
References
How to Request a Certificate With a Custom Subject Alternative Name - This includes an alternate option to generate the request from the command line. If this is used be sure to perform all portions of the request on the requesting server and not on the CA server.
Using Certificate Extensions rather than Request Attributes for Certificate Requests containing SAN’s - Helpful if the command line request process is used.