Configurate Windows 2012 R2 CA and generate a certificate for IIS
This quick note has below assumptions:
- This is a small scale network.
- An AD domain has been setup.
- An IIS web server is not under domain.
- A CA is setup in the Domain Controller to issue a cert.
- Trust the root CA at all client devices
- Install CA
(Reference: Deploying a Windows Server 2012 R2 Certificate Authority)
(Reference for Windows 2016: by CareExchange.in )
- Follow all the steps inside "Install Active Directory Certificate Authority" on above reference, except:
- I only install "Certification Authority". I do not install any web related component.
- Use SHA256 instead of SHA1 for Hash Algorithm. SHA256 and 2048 bit is the minimum strength required nowadays.
- Open "Certificate Authority Management tool" to verify if CA is installed and run properly.
- Export Root CA public certificate
- At CA server, open "Manage Computer Certificates", or certlm.msc.
- Under "Certificates - Local Computer" - "Personal" - "Certificates", you should be able to find the Root CA certificate.
- Double-click on the root CA. Switch to "Details" tab. Click "Copy to File", accept all default settings, and then select a path for the exported Root CA cert.
- Generate CSR (Certificate Request) at IIS Manager
- Follow all the steps from Digicert.
- Copy the output file to CA server.
- Submit CSR via command line - certreq
- I prefer not to use Web to it simple, lightweight and more secure.
- Use the below command in CA server.
certreq -Submit -Attrib "CertificateTemplate:WebServer" -Config - C:\cert\myCSR.txt
Active Directory Enrollment Policy
Certificate retrieved(Issued) Issued
- Then you will be prompted for the output file location. Follow the GUI.|
- Copy the output file *.cer back to the IIS server.
- Please also copy the Root CA cert generated at step 2 to the IIS server.
- Import the certificate for IIS (Reference: Digicert)
- Please refer to all steps in above reference.
- Import the Root CA cert to Windows of IIS/Client PC
- Double click on the Root CA cert.
- Click "Install Certificate"
- Select "Local Machine"
- Select "Place all certificates in the following path". Browse to "Trusted Root Certificate Authority".
- Then finish the process.
- Trust the Root CA at client devices
- Transfer the Root CA cert obtained at step 2
- By place it into web server OR
- transfer it by USB/data cable ....
- Install the Root CA certificate as Trusted Certificate
- Android, install under:
- OR .
- Settings->Wi-Fi->Advanced Settings->Install Certificates OR
- Setting > Privacy > Credential Storage > Install from storag
- Windows domain