How to Get a Certificate from an internal CA

All of the steps are completed on the web server. None of them are performed on the machine that is the certificate authority.

Create Certificate - Windows Server 2016+ and Windows 10

  1. Start -> Manage computer certificates

  2. Right-click Personal → All Tasks → Request New Certificate...

  3. Next

  4. Next

  5. Under "Active Directory Enrollment Policy" check "Computer"

  6. Click the arrow next to "Details"

  7. Click Properties

  8.  

    1. General tab

      1. Friendly name: ex: myserver.mydomain.local

    2. Subject tab

      1. Subject name: 

        1. Type: Common Name

        2. Value: FQDN of server, ex: myserver.foray.local

        3. Add

      2. Alternative name:

        1. Type: DNS

        2. Value: FQDN of server, ex: myserver.foray.local

        3. Add

    3. Private Key tab

      1. Click “Key options” arrow

        1. Key size: 2048

        2. Check "Make private key exportable"

    1. OK

  9. Enroll

Now is a good time to make sure that Certificate Auto-enrollment is set up so that the certificate will auto-renew rather than expire, taking the app/site down.

 

Continue with Assign Certificate to Website 

Create Certificate - Windows Server pre-2016 and Windows 7

Create a Certificate Signing Request (CSR)

Open the Certificates Snap-in

  1. On the web server

  2. Windows-R (run dialog)

  3. Enter mmc.exe

  4. Click OK

  5. File->Add/Remove Snap-in…

  6. Select “Certificates”

  7. Click Add

  8. Select “Computer account”

  9. Next

  10. Select “Local computer”

  11. Click Finish

  12. Click OK (to close Add/Remove Snap-ins

Request a Certificate

  1. Expand Certificates in the MMC Console and select Personal

  2. Right-click on Personal->All Tasks->Advanced Operations->Create Custom Request…

  3. Next

  4. Select “Proceed without enrollment policy”

  5. Next

  6. Template: (No template) CNG key

  7. Request format: PKCS #10

  8. Next

  9. Click arrow next to Details

  10. Click Properties

  11. General tab

    1. Friendly name: ex: myserver.mydomain.local

  12. Subject tab

    1. Subject name: 

      1. Type: Common Name

      2. Value: FQDN of server, ex: myserver.foray.local

      3. Add

    2. Alternative name:

      1. Type: DNS

      2. Value: FQDN of server, ex: myserver.foray.local

      3. Add

  13. Extensions tab

    1. Key usage 

      1. Click “Key usage” arrow

      2. Available options: Digital signature, Add

      3. Available options: Key encipherment, Add

    2. Extended Key Usage

      1. Click “Extended Key Usage (application policies)” arrow

      2. Available options: Server Authentication, Add

      3. Available options: Client Authentication, Add

  14. Private Key tab

    1. Click “Cryptographic Service Provider” arrow

      1. Verify that “RSA, Microsoft Software Key Storage Provider” is checked

    2. Click “Key options” arrow

      1. Key size: 2048

    3. Click “Select Hash Algorithm” arrow

      1. Hash Algorithm: sha256

  15. Click OK

  16. Click Next in Certificate Enrollment window

  17. File Name: ex: C:\Temp\myserver.mydomain.local.csr

    1. NOTE: If the full path isn’t put in the field then the file will be saved to C:\Windows\system32\

  18. File format: Base 64

  19. Click Finish

Sign the Certificate

Sign the CSR File

  1. Still on the web server

  2. Open a command prompt or powershell as an administrator (Run as administrator)

  3. cd into the directory with the CSR

  4. Run the following command

    certreq -submit -attrib "CertificateTemplate:WebServer" <CSR FILE NAME>

    Ex: certreq -submit -attrib "CertificateTemplate:WebServer" "myserver.mydomain.local.csr"

  5. A “Select Certification Authority” dialog will appear. Choose the CA that should sign the certificate and click OK.

  6. A “Save Certificate” dialog will appear. Enter a file name. Ex: myserver.domain.local.cer

  7. Click Save

  8. The output should include “Certificate retrieved(Issued) Issued”

  9. A .cer file will be created

  10. Copy this file to the web server

Submitting new request does not work

 

Complete Certificate Request

  1. On the web server

  2. Run IIS as administrator (right-click Run as administrator)

  3. Select the server

  4. In the IIS section of Features View open Server Certificates

  5. Click “Complete Certificate Request…”

  6. Select the .cer file

  7. Friendly name: a name to identify the certificate, ex: myserver.domain.local

  8. Select a certificate store for the new certificate: Personal (yes, Personal)

  9. Click OK

Assign Certificate to Website

  1. Select the website, ex: Default Web Site

  2. Click Bindings…

  3. Click Add…

  4. Select: https

  5. IP address: All Unassigned or the IP of the site

  6. Port: 443

  7. Host name: leave this blank

  8. SSL certificate: select the certificate competed above

  9. Click OK

  10. Click Close

  11. Test the certificate by going to the root of the server in both IE and Chrome or Firefox

    Ex: https://myserver.mydomain.local

  12. Test Adams Web and/or Adams Admin as appropriate

    Ex: https://myserver.mydomain.local/AdamsWeb

References

How to Request a Certificate With a Custom Subject Alternative Name - This includes an alternate option to generate the request from the command line. If this is used be sure to perform all portions of the request on the requesting server and not on the CA server.

Using Certificate Extensions rather than Request Attributes for Certificate Requests containing SAN’s - Helpful if the command line request process is used.

Certreq

© 2023 Foray, LLC - All Rights Reserved