24.3 C
Dubai
Tuesday, March 19, 2024

how to install certificate authority on windows server 2012

Step 1:

You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange itself
I have done this in the Exchange Server itself (No Harm)

Open Server Manager – Manage – Add Roles and Features

image

Step 2:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

image

Choose :

Certification Authority

Certification Authority Web Enrollment

image

Choose Install

image

Choose Close

image

Step 3:

To Configure Active Directory Certificate Services

Choose the Exclamation Mark on the Flag

image

Choose Next

image

Choose

Certificate Authority

&

Certification Authority Web Enrollment

image
Choose Enterprise

image

Step 4:
Choose Root CA

image

Step 5:
Create a new Private key

image

Step 6:
Have this Default with 2048 key Character length

Updated === Its recommended to use SHA256 as SHA1 is retiring.

To Upgrade your existing internal CA –

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

image

Step 7:
Click Next

image

Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

Step 9:

image

image

Choose Configure

image

Installing and Configuring is Done.

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority

Step 10:
Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

image
Use the right side column “Browse *.443(https)

Note :

If you don’t see a “Browse *.443(https) , It means binding is not there. As my Example as Exchange 2013 , Exchange added the binding.

To add binding – Right Click on Default Web Site – Click on Edit Bindings

image

Click on ADD

HTTPS – 443 – Choose the CA Cert

image

Now you can see 443 in your website.

image

Step 11:
You would see a page like this , Choose Request a Certificate

image

Step 12:
Click on Advanced Certificate Request

image

Step 13:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC

image

Step 14:
Now Copy the  Note pad  – You have to generate a Certificate Request from the application. For example how we are doing in exchange server

https://www.azure365pro.com/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/

Or you can use https://www.digicert.com/util/
Choose Template : WebServer

image

Step 15:
Choose “Base 64 encoded”

image

Step 16:
Save the Certificate

image

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

82 COMMENTS

  1. Hi, many thanks for the write up.

    will this cert enable internal outlook users to connect to internal exchange server 2013?

    thanks in advance

    Ajay Paul

  2. Thanks for the guide! I’m getting the following message when trying to request a certificate by using a base-64-encoded CMC: “No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing Active Directory.” This is a brand new Windows Server 2012 installation and I followed your guide from start to finish. Any ideas?

    Steve

  3. Hi Rajnish.

    Are we missing a step or two?

    When IIS is installed HTTPS is not enabled. In Step 10 the option to browse “Use the right side column “Browse *.443(https)” is not available.

    Step 14 requires clarification – Now Copy the Note pad – We need an explanation of how the data in the Note pad coming from.

    Please review and clarify

  4. OK – I’m at Step 14 – where does the NOTEPAD info come from !!! ?

    I’m TESTING Exchange so don’t have a proper certificate
    Will this work with a self-signed Certificate ?

    (there is little or no information about using Self-Signed Certs with Exchange – I appreciate I’ll need one eventually if and when this gets into production)

  5. Great information, but request the following information:

    In step 10 am I right clicking each port and copying information from each port, then copying into notepad, then pasting the information from notepad in step 14.
    You have done a great job with your post and I am probably being naïve, but clarification would be appreciated.

  6. As the others have mentioned, While in IIS Manager, only Browse *.80 (http) is available to select. Browse *.443 (https) is not seen, nor are any others as shown in your description.

    Any Thoughts?

  7. Hi,

    It is possible to deploying a Windows Server 2012 R2 Certificate Authority in a windows server 2003 domain.

    Thanks,

    Carlos Santos

  8. Hey,

    In Step 3:Setup type->Specify the setup typeof the CA->the 1st option “Enterpirse CA” is greyed out for me.What should i do to enable it.Please suggest
    thank you

  9. DID EXATCTLY WHAT YOU INSTRCTRUCTED AND IT DID NOT WORK FOR ME! I am having the same issue at step 10 that others have been telling you about. You have assumed that when we get there that “Browse: 443 (https)” will be to on the right, and my friend, for some of us including myself, it “DOES NOT APPEAR”. And since it does not appear, when we get to step 14, the screen for the certificate text is blank. THEREFORE, YOUR INSTRUCTIONS FOR US WHO DO NOT SEE “443”, YOUR INSTRUCTIONS ARE NOT CORRECT! Please make note of this and adjust your post!

    • Updated the Blog .If you are installing this on a Non Exchange machine . You got to add bindings to see 443. Check now

      • Déjà, rien que le ton condescendant de certains… Petits bourgeois que tout ça. Il faut de l’excès en toutes choses, quitte à revenir parfois en arrière. Vous nous proposez la mesure en toutes choses, quitte à ne pas bouger d’un pouce.Petits bourgeois que tout ça.

  10. Where can I Find the Certificate Request file? I don’t see where you saved it? Can I get help on this please. Thanks!

  11. How do I generate the Certificate before downloading it? where do they get the IP address used to log in to the url came from. when I on the web browser, it will not take it.eg 10.20.34.2/cert/svr.

  12. I do not have a Default Website in the list, thus there is no CertSrv. What could I do to remedy this? I know how to create Sites but the directories… I don’t know where they should point to.

  13. Hi, many thanks for the write up.

    will this cert enable external outlook users to connect to exchange server 2013?

    thanks in advance

    • No. Its just for internal users. Its higly recommended to use a External cert for both. Internal and External

  14. Hello,

    Thanks for this guide.

    I’m almost done with it but at Certification template i cannot choose “Web server”. There is only User and Basic template. Why did I wrong?

    Thank you!

  15. Hi Satish,

    I am in the Step 14, I could not able to proceed after Step 13, could you please let me know the location from where I can copy the text and paste it in the request box. I searched in Certserv folder and in certrqxt, but not able to see the requested file contents.

    Could you please help me out. Thanks..

  16. Thank you so much,
    if i create the CA server , can i assign outlook anywhere, auto discover with this server ?
    after can i turn it off ? turn it on only when i need it ?

    thank you

  17. Hello,

    I’ve seen internal CA servers more often nowadays. I’m not too familiar with its benefits for a business or company. The only certs I ever had to deal with was from 3rd party like GeoTrusts. So the question is, what are the benefits of having an internal CA server in the environment if it’s usually recommended to have external certs for both internal (Outlook) and external (OWA) users of Exchange? What other benefits will an internal CA server provide? Why are reasons why it would be beneficial for a business to setup one up? Please advise as I would like to get this going for our business if there are good benefits.

  18. Thanks for the guide. I’m trying to create a User Certificate and i get the error below. What am i missing?

    Your request failed. An error occurred while the server was processing your request.

    Contact your administrator for further assistance.

    Request Mode:
    newreq NN – New Request (keygen)
    Disposition:
    (never set)
    Disposition message:
    (none)
    Result:
    Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    COM Error Info:
    CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    No suggestions.

  19. Thanks for some other informative blog. Where else may just I am getting that type of info written in such a perfect way?
    I’ve a undertaking that I’m simply now running on, and I have been on the
    glance out for such information.

  20. I am getting below error when installing second CA server with SHA256 within the same forest

    certification authority web enrollment network name is no longer available 0x80070040 (win32:64 ERROR_NETNAME_DELETED)

    Can anyone help on the same

  21. im getting this

    our request failed. An error occurred while the server was processing your request.

    Contact your administrator for further assistance.

    Request Mode:
    newreq NN – New Request (keygen)
    Disposition:
    (never set)
    Disposition message:
    (none)
    Result:
    Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    COM Error Info:
    CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    No suggestions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?