16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

About Advertise Forums Log In

Consumo medio combinado de 4,0 a 6,7 l/100 km. Emisiones de CO2 de 106 a 152 g/km.
Consulta condiciones en seat.es

Enabling HTTPS on Windows Server 2008/2012

Certi cate Authority for Web Enrollment
Posted on June 10, 2014 by Daniel Petri in Windows Server 2008

  Share   Tweet   Share

When you install a Certi cate Authority (or CA) on a Windows Server
2008/R2/2012, it is usually for the purpose of issuing digital certi cates.
These are then used by users, computers, devices, and so on to
authenticate themselves, to prove their authenticity, and for other types
of communication that requires Public Key Infrastructure (PKI)

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 1/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

encryption. In today’s article I’ll walk you through how to enable HTTPS
on Certi cate Authority for Web Enrollment, how to create the
certi cate template, and more.

Issuing Digital Certi cates with Certi cate Authority

Web Enrollment

I will not go into more detail as to why and how you want to install this
CA just now (although that’s something that I will probably cover in a
later article). However, assuming you know a bit about Windows-based
CAs, there are basically four common methods of issuing these
certi cates:

1. Auto-enrollment, in which many types of certi cates can be

distributed without the client even being aware that enrollment is
taking place. These can include most types of certi cates issued to
computers and services, as well as many certi cates issued to users.

2. Another method is enrollment through the Automatically Enroll

and Retrieve Certi cates from the certmgr.msc console.

3. CNG Application Programming Interface (API) in Windows Server

2008/R2/2012, and CryptoAPI in previous versions of Windows
Server.

4. Then there’s Web Enrollment (the default URL is http://CA-

Name/certsrv), which I’ll speci cally talk about in this post. This is
where CA-Name is the name of the issuing Certi cate Authority. The
Certi cation Authority (CA) Web Enrollment role service provides a
set of web pages that allow interaction with the Certi cation
Authority role service.

Note: You can install the CA Web Enrollment on a server that is not a CA

to separate web tra c from the CA. Installing CA Web Enrollment
con gures the computer as an enrollment registration authority. You
must select a CA to be used with the CA Web Enrollment pages. The CA
that CA Web Enrollment uses is called the Target CA in the user
interface.

You can perform the following tasks from the CA Web Enrollment
pages:

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 2/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Request a basic certi cate

Request a certi cate with advanced options

Check a pending certi cate request

Retrieve the certi cation authority’s certi cate to place in your

trusted root store or install the entire certi cate chain in your
certi cate store

Retrieve the current base and delta CRLs

Submit a certi cate request by using a PKCS #10 le or a PKCS #7 le

Request a Certi cate

So, you’ve installed your CA, added the Web Enrollment role service, and
now you would like to request a certi cate or perform one of the tasks
described above.

First, open a web browser window and navigate to http://CA-

Name/certsrv and click on Request Certi cate.

Next, click on the type of certi cate you want to issue (in this case,
it’s a user certi cate).

Certi cate Authority for Web Enrollment user certi cate

The next thing you will see is an error reading, “In order to complete the
certi cate enrollment, the Web site for the CA must be con gured to
use HTTPS authentication.”
https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 3/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

The reason for this error is that the CA Web Enrollment role service
pages require that you secure them with secure sockets layer (SSL) /
transport layer security (TLS). To resolve this issue, you must install an
appropriate certi cate on the web server hosting the CA Web
Enrollment pages. In addition, you must con gure the Site Bindings
for the website to add the HTTPS port 443 binding.

Create the Certi cate Template to Issue

Before we begin, we need to make sure that the server hosting the Web
Enrollment service role and IIS can enroll and receive a digital certi cate
that is intended for the purpose of of “Server Authentication.” This
means that they must contain the Server Authentication object
identi er (OID): 1.3.6.1.5.5.7.3.1

Read my article, “Creating a Digital Certi cate Template for the Purpose
of Server Authentication in Windows Server 2008/R2/2012” for more
information about this.

Obtain a Certi cate for IIS Using the Certi cate

Template

Next, on the IIS server hosting the CA Web Enrollment pages, open
an MMC console by typing mmc and then pressing Enter.

In the new MMC console (Console1), click File, then click

Add/Remove Snap-in.

From the list of available snap-ins, select Certi cates and then click
Add.

Certi cate Authority for Web Enrollment IIS

Select the Computer account and then click Next.

Certi cate Authority for Web Enrollment snap-in

By default, the Local computer is selected within Select Computer.

Click Finish and then click OK.

Certi cate Authority for Web Enrollment local computer

Expand Certi cates (Local Computer) and then right-click Personal.

Click All Tasks, and then click Request New Certi cate.

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 4/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Certi cate Authority for Web Enrollment

Click Next in the Certi cate Enrollment wizard.

Certi cate Authority for Web Enrollment wizard

On the Select Certi cate Enrollment Policy page, ensure that Active
Directory Enrollment Policy is selected and then click Next.

Certi cate Authority for Web Enrollment con gure

On Certi cate Enrollment, select the certi cate template that is

available.

You must make sure that the certi cate template you are about to
request contains the Server Authentication object identi er (OID):
1.3.6.1.5.5.7.3.1. Read my article, “Creating a Digital Certi cate Template
for the purpose of Server Authentication in Windows Server
2008/R2/2012,” for more information about this.

The Computer template does. You can verify this by clicking on the
Details arrow. Look at the Application Policies section and select it.

Click Enroll. Click Finish.

Certi cate Authority for Web Enrollment request

When the process is nished, you will have a brand new digital
certi cate.

Certi cate Authority for Web Enrollment

Con gure HTTPS on the Default Website

Next, we need to enable IIS to use this certi cate and listen (bind) to the
right port (TCP 443) for HTTPS connectivity.

On the IIS server hosting the CA Web Enrollment pages, open the
Internet Information Services (IIS) Manager.

Click on the server name. In the right-pane, click on Server

Certi cates.

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 5/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Certi cate Authority for Web Enrollment server certi cates

Note that our certi cate is listed. You can inspect it of you want to.

Certi cate Authority for Web Enrollment server certi cates

The certi cate’s purpose should be to ensure the identity of a

remote computer. To further verify, you can click the Details tab of
the certi cate.

Select Enhanced Key Usage and ensure that it reads Server

Authentication (1.3.6.1.5.5.7.3.1). Click OK.

Certi cate Authority for Web Enrollment enhanced key usage

Expand the server and Sites nodes until you can see Default Web
Site. Click Default Web Site.

On the Actions pane, click Bindings.

Certi cate Authority for Web Enrollment default website

In Site Bindings, click Add.

Certi cate Authority for Web Enrollment add site bindings

In Add Site Binding, set Type to HTTPS.

Set SSL certi cate to the certi cate that you issued to the server. If
you have more than one certi cate, you can con rm you have the
correct certi cate by clicking View.

Certi cate Authority for Web Enrollment site bindings

On Add Site Binding, click OK.

On Site Bindings, click Close.

Certi cate Authority for Web Enrollment site bindings

Connect to the HTTPS Location for Certi cate Web

Enrollment

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 6/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Instead of using the former http://CA-Name/certsrv you must connect to

https://CA-Name/certsrv to request a certi cate. Now the error is gone.

Note: If you attempt to browse to https://CA-Name/certsrv instead of

using the server’s name, you may get an error. This is because the
server is presenting the browser a digital certi cate that claims it is for
CA-Name, when in fact you are accessing Localhost.

You can click on “Continue to this website” or correct your URL.

Certi cate Authority for Web Enrollment localhost

This may also happen if you attempt to use just the host name part of
the server’s FQDN. Again, this is because it is not the name to which the
certi cate was issued.

Certi cate Authority for Web Enrollment error

Note: You may be required to enter your credentials.

Certi cate Authority for Web Enrollment credentials

Did you try to use the servers FQDN and got an error? Read my article,
“Solving the ‘This Web Browser Does Not Support the Generation of
Certi cate Requests’ Error,” for a solution.

MEMBER LOGIN:

Username/Email

Password

 Keep me signed in

Forgot password?

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 7/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Sign In

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register

0 Comments Sort by Votes | Date

There are no comments yet.

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 8/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Daniel Petri is a world-known IT professional, technical trainer and creator of one of the world’s
largest IT knowledge bases – www.petri.com. Daniel consults to leading global Fortune 1000
companies in Microsoft IT Infrastructure and Engineering strategies.

For his contribution to the IT Pro community Daniel has received the Microsoft Most Valuable
Professional (MVP) award for the 14th time. Daniel’s professional certi cations include Microsoft
Certi ed Technology Specialist, Microsoft Certi ed Systems Engineer, Microsoft Certi ed System
Administrator and Microsoft Certi ed Trainer.

While working for Microsoft, Daniel serves as a Senior Premier Field Engineer (PFE) specializing
in Windows Server OS and Active Directory.

Daniel now works for ObserveIT, makers of the Insider Threat Detection software, where he
holds the role of Senior Solutions Architect, where he manages large deployment projects and
partner and customer training programs.

In his spare time, Daniel rides a 1200cc 2015 model Ducati Multistrada 1200S bike and manages
the Israeli Bikers forum.

You can contact Daniel at daniel-at-petri-dot-co-dot-il.

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 9/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

Create a free account to interact with our community of IT Pros and stay informed on the
latest IT news.

Sign Up Now

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 10/11
16/1/2019 Enable HTTPS Certificate Authority for Web Enrollment

© 2019 BWW Media Group | Terms and Conditions

https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 11/11