How to Get a Certificate from an internal CA

Owned by Mont Rothstein
Last updated: Sept 30, 2022
3 min read

All of the steps are completed on the web server. None of them are performed on the machine that is the certificate authority.

Create Certificate - Windows Server 2016+ and Windows 10

  1. Start -> Manage computer certificates

  2. Right-click PersonalĀ ā†’ All TasksĀ ā†’ Request New Certificate...

  3. Next

  4. Next

  5. Under "Active Directory Enrollment Policy" check "Computer"

  6. Click the arrow next to "Details"

  7. Click Properties

  8. Ā 

    1. General tab

      1. Friendly name: ex: myserver.mydomain.local

    2. Subject tab

      1. Subject name:Ā 

        1. Type: Common Name

        2. Value: FQDN of server, ex: myserver.foray.local

        3. Add

      2. Alternative name:

        1. Type: DNS

        2. Value: FQDN of server, ex: myserver.foray.local

        3. Add

    3. Private Key tab

      1. Click ā€œKey optionsā€ arrow

        1. Key size: 2048

        2. Check "Make private key exportable"

    1. OK

  9. Enroll

Now is a good time to make sure that Certificate Auto-enrollment is set up so that the certificate will auto-renew rather than expire, taking the app/site down.

Ā 

Continue with Assign Certificate to WebsiteĀ 

Create Certificate - Windows Server pre-2016 and Windows 7

Create a Certificate Signing Request (CSR)

Open the Certificates Snap-in

  1. On the web server

  2. Windows-R (run dialog)

  3. Enter mmc.exe

  4. Click OK

  5. File->Add/Remove Snap-inā€¦

  6. Select ā€œCertificatesā€

  7. Click Add

  8. Select ā€œComputer accountā€

  9. Next

  10. Select ā€œLocal computerā€

  11. Click Finish

  12. Click OK (to close Add/Remove Snap-ins

Request a Certificate

  1. Expand Certificates in the MMC Console and select Personal

  2. Right-click on Personal->All Tasks->Advanced Operations->Create Custom Requestā€¦

  3. Next

  4. Select ā€œProceed without enrollment policyā€

  5. Next

  6. Template: (No template) CNG key

  7. Request format: PKCS #10

  8. Next

  9. Click arrow next to Details

  10. Click Properties

  11. General tab

    1. Friendly name: ex: myserver.mydomain.local

  12. Subject tab

    1. Subject name:Ā 

      1. Type: Common Name

      2. Value: FQDN of server, ex: myserver.foray.local

      3. Add

    2. Alternative name:

      1. Type: DNS

      2. Value: FQDN of server, ex: myserver.foray.local

      3. Add

  13. Extensions tab

    1. Key usageĀ 

      1. Click ā€œKey usageā€ arrow

      2. Available options: Digital signature, Add

      3. Available options: Key encipherment, Add

    2. Extended Key Usage

      1. Click ā€œExtended Key Usage (application policies)ā€ arrow

      2. Available options: Server Authentication, Add

      3. Available options: Client Authentication, Add

  14. Private Key tab

    1. Click ā€œCryptographic Service Providerā€ arrow

      1. Verify that ā€œRSA, Microsoft Software Key Storage Providerā€ is checked

    2. Click ā€œKey optionsā€ arrow

      1. Key size: 2048

    3. Click ā€œSelect Hash Algorithmā€ arrow

      1. Hash Algorithm: sha256

  15. Click OK

  16. Click Next in Certificate Enrollment window

  17. File Name: ex: C:\Temp\myserver.mydomain.local.csr

    1. NOTE: If the full path isnā€™t put in the field then the file will be saved to C:\Windows\system32\

  18. File format: Base 64

  19. Click Finish

Sign the Certificate

Sign the CSR File

  1. Still on the web server

  2. Open a command prompt or powershell as an administrator (Run as administrator)

  3. cd into the directory with the CSR

  4. Run the following command

    certreq -submit -attrib "CertificateTemplate:WebServer" <CSR FILE NAME>

    Ex: certreq -submit -attrib "CertificateTemplate:WebServer" "myserver.mydomain.local.csr"

  5. A ā€œSelect Certification Authorityā€ dialog will appear. Choose the CA that should sign the certificate and click OK.

  6. A ā€œSave Certificateā€ dialog will appear. Enter a file name. Ex: myserver.domain.local.cer

  7. Click Save

  8. The output should include ā€œCertificate retrieved(Issued) Issuedā€

  9. A .cer file will be created

  10. Copy this file to the web server

Submitting new request does not work

Ā 

Complete Certificate Request

  1. On the web server

  2. Run IIS as administrator (right-click Run as administrator)

  3. Select the server

  4. In the IIS section of Features View open Server Certificates

  5. Click ā€œComplete Certificate Requestā€¦ā€

  6. Select the .cer file

  7. Friendly name: a name to identify the certificate, ex: myserver.domain.local

  8. Select a certificate store for the new certificate: Personal (yes, Personal)

  9. Click OK

Assign Certificate to Website

  1. Select the website, ex: Default Web Site

  2. Click Bindingsā€¦

  3. Click Addā€¦

  4. Select: https

  5. IP address: All Unassigned or the IP of the site

  6. Port: 443

  7. Host name: leave this blank

  8. SSL certificate: select the certificate competed above

  9. Click OK

  10. Click Close

  11. Test the certificate by going to the root of the server in both IE and Chrome or Firefox

    Ex: https://myserver.mydomain.local

  12. Test Adams Web and/or Adams Admin as appropriate

    Ex: https://myserver.mydomain.local/AdamsWeb

References

How to Request a Certificate With a Custom Subject Alternative Name - This includes an alternate option to generate the request from the command line. If this is used be sure to perform all portions of the request on the requesting server and not on the CA server.

Using Certificate Extensions rather than Request Attributes for Certificate Requests containing SANā€™s - Helpful if the command line request process is used.

Certreq

Ā© 2023 Foray, LLC - All Rights Reserved