When you install a Certificate Authority (or CA) on a Windows Server 2008/R2/2012, it is usually for the purpose of issuing digital certificates. These are then used by users, computers, devices, and so on to authenticate themselves, to prove their authenticity, and for other types of communication that requires Public Key Infrastructure (PKI) encryption. In today’s article I’ll walk you through how to enable HTTPS on Certificate Authority for Web Enrollment, how to create the certificate template, and more.
I will not go into more detail as to why and how you want to install this CA just now (although that’s something that I will probably cover in a later article). However, assuming you know a bit about Windows-based CAs, there are basically four common methods of issuing these certificates:
Note: You can install the CA Web Enrollment on a server that is not a CA to separate web traffic from the CA. Installing CA Web Enrollment configures the computer as an enrollment registration authority. You must select a CA to be used with the CA Web Enrollment pages. The CA that CA Web Enrollment uses is called the Target CA in the user interface.
You can perform the following tasks from the CA Web Enrollment pages:
So, you’ve installed your CA, added the Web Enrollment role service, and now you would like to request a certificate or perform one of the tasks described above.
The next thing you will see is an error reading, “In order to complete the certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.”
The reason for this error is that the CA Web Enrollment role service pages require that you secure them with secure sockets layer (SSL) / transport layer security (TLS). To resolve this issue, you must install an appropriate certificate on the web server hosting the CA Web Enrollment pages. In addition, you must configure the Site Bindings for the website to add the HTTPS port 443 binding.
Before we begin, we need to make sure that the server hosting the Web Enrollment service role and IIS can enroll and receive a digital certificate that is intended for the purpose of of “Server Authentication.” This means that they must contain the Server Authentication object identifier (OID): 126.96.36.199.188.8.131.52.1
Read my article, “Creating a Digital Certificate Template for the Purpose of Server Authentication in Windows Server 2008/R2/2012” for more information about this.
You must make sure that the certificate template you are about to request contains the Server Authentication object identifier (OID): 184.108.40.206.220.127.116.11.1. Read my article, “Creating a Digital Certificate Template for the purpose of Server Authentication in Windows Server 2008/R2/2012,” for more information about this.
When the process is finished, you will have a brand new digital certificate.
Next, we need to enable IIS to use this certificate and listen (bind) to the right port (TCP 443) for HTTPS connectivity.
Instead of using the former http://CA-Name/certsrv you must connect to https://CA-Name/certsrv to request a certificate. Now the error is gone.
Note: If you attempt to browse to https://CA-Name/certsrv instead of using the server’s name, you may get an error. This is because the server is presenting the browser a digital certificate that claims it is for CA-Name, when in fact you are accessing Localhost.
You can click on “Continue to this website” or correct your URL.
This may also happen if you attempt to use just the host name part of the server’s FQDN. Again, this is because it is not the name to which the certificate was issued.
Note: You may be required to enter your credentials.
Did you try to use the servers FQDN and got an error? Read my article, “Solving the ‘This Web Browser Does Not Support the Generation of Certificate Requests’ Error,” for a solution.