Configurate Windows 2012 R2 CA and generate a certificate for IIS

This quick note has below assumptions:
  1. This is a small scale network.
  2. An AD domain has been setup.
  3. An IIS web server is not under domain.
  4. A CA is setup in the Domain Controller to issue a cert.
  5. Trust the root CA at all client devices
Detail steps:
  1. Install CA
    (Reference: Deploying a Windows Server 2012 R2 Certificate Authority)
    (Reference for Windows 2016: by )
    1. Follow all the steps inside "Install Active Directory Certificate Authority" on above reference, except:
      1. I only install "Certification Authority".  I do not install any web related component.
      2. Use SHA256 instead of SHA1 for Hash Algorithm.  SHA256 and 2048 bit is the minimum strength required nowadays.
    2. Open "Certificate Authority Management tool" to verify if CA is installed and run properly.
  2. Export Root CA public certificate
    1. At CA server, open "Manage Computer Certificates", or certlm.msc.
    2. Under "Certificates - Local Computer" - "Personal" - "Certificates", you should be able to find the Root CA certificate.
    3. Double-click on the root CA.  Switch to "Details" tab. Click "Copy to File", accept all default settings, and then select a path for the exported Root CA cert.
  3. Generate CSR (Certificate Request) at IIS Manager
    1. Follow all the steps from Digicert.
    2. Copy the output file to CA server.
  4. Submit CSR via command line - certreq
    1. I prefer not to use Web to it simple, lightweight and more secure.
    2. Use the below command in CA server.
      certreq -Submit -Attrib "CertificateTemplate:WebServer" -Config - C:\cert\myCSR.txt
      Active Directory Enrollment Policy
      RequestId: 7
      RequestId: "7"
      Certificate retrieved(Issued) Issued
    3. Then you will be prompted for the output file location. Follow the GUI.|
    4. Copy the output file *.cer back to the IIS server.
    5. Please also copy the Root CA cert generated at step 2 to the IIS server.
  5. Import the certificate for IIS (Reference: Digicert)
    1. Please refer to all steps in above reference.
  6. Import the Root CA cert to Windows of IIS/Client PC
    1. Double click on the Root CA cert.
    2. Click "Install Certificate"
    3. Select "Local Machine"
    4. Select "Place all certificates in the following path".  Browse to "Trusted Root Certificate Authority".
    5. Then finish the process.
  7. Trust the Root CA at client devices
    1. Android
      1. Transfer the Root CA cert obtained at step 2
        1. By place it into web server OR
        2. transfer it by USB/data cable ....
      1. Install the Root CA certificate as Trusted Certificate
        1. Android, install under:
          1. Settings > Security > Trusted Credentials > User. OR
          2. Settings->Wi-Fi->Advanced Settings->Install Certificates OR
          3. Setting > Privacy > Credential Storage > Install from storag
    2. iOS
      1. Installing private root CA certificate on iOS devices (Technet, Microsoft)
    3. Windows domain
      1. Manage Trusted Root Certificates(Technet, Microsoft) 


Popular Posts