So you host a bunch of internal SharePoint sites, Websites and other internal web applications. You want to secure them with SSL but you cannot afford a certificate from a third party certificate authority right now. I am going to walk you through installing a new CA, request a certificate, approve a certificate and then install a certificate.
CA Install:
Go to start and click on “Server Manager”
Select ”Roles”
Click on “Add Roles”
Select “Certificate Services” and click next
I typically choose “Certification Authority” and “Certification Authority Web Enrollment” and click next
NOTE: I choose the web enrollment so I can request certificates and download them from the web browser.
I chose “Stand Alone” on the next screen
NOTE: You can choose “Enterprise” to integrate this CA with active directory. I chose not to in my setup.
This is the first Certificate Authority so choose “Root CA” then click next
Choose “Create new Private Key” then click next
Leave the default unless your needs require you to choose another type of security. Click next
Give your CA a name and click next
Set the validity period (This is the number of years for which your CA’s certificates are valid before it expires) I chose 10 years. Click next when you are done setting this
This next screen shows you where the certificate databases will be located. Click next
Click Install
Now your Certificate Authority will be installed.
To Request a Certificate:
Go to your new Certificate Authority website and click on “Request a certificate”
NOTE: The CA website URL is: http://SERVERNAME/certsrv/
Choose Web Browser Certificate
If you are on Windows Vista or Windows 7 you may get the following error
To get past this error in internet Explorer select Tools>>Internet Options>>Security then choose the zone you need. For me this was Local intranet. Now select the “Custom Level…” button and look for “Initialize ActiveX unsafe for scripting”. You need to enable this.
Now close and reopen your browser
Now when you go to request a certificate you will not get the above error. You will get the below prompt. Click yes on it.
Now you will be able to fill out the information to submit a certificate request.
To approve the certificate request:
Log onto the CA server
Go to Start >> Programs >> Administrative Tools >> Certification Authority
Expand the CA and you will see pending requests
Right click on the pending certificate and select Issue
That is it now your certificate is ready to be used.
To install the approved certificate:
Go back to the certificate site (http://SERVERNAME/certsrv/) and click on “View the status of a pending certificate request”
On the next screen click on the certificate that you requested
Now click on “Install this certificate”.
That is it. Your new certificate should now be installed.
Fore more info about Certificate Services visit:
hie
would you have nay idea why I dont have the option “Choose Web Browser Certificate” under select certificate type?? the only link that I have there is user certificate?? is there another way to do this??…..
thanks for your reply
Leslie
Hi Leslie,
Is the “Web Browser Certificate” not showing up when you go to request the certificate or go to install it?
If it is when you go to install it did you make sure that when you requested the certificate did you chose the “Web Browser Certificate” option?
Thanks
yes the web browser certificate link is not showing up when I request the certificate.
I did install certification authority web enrollment. I had had to add the feature later after I had already installed the active directory certificate services.
so do you know any other way to resolve this issue??
thanks
Leslie
hie
if you look at the screenshot under “Choose Web Browser Certificate”, I don’t have the options “Web browser certificate” and “Email protection certificate” would you have any idea why?? is there another way to get those options????
thanks
Leslie
Hi Leslie,
I would suggest uninstalling your CA and re-install it. This time make sure you install Active Directory Certificate Services first and then the Certification Authority and the Certificate Authority Web Enrollment as in the blog post.
Also did you deploy this as a Enterprise or Standalone CA? In my example I chose Standalone. I recommend you do the same to get the same results.
If those suggestions do not work I don’t think there is much more help I can provide without seeing your actual server.
I hope this helps.