29. května 2012 6:49
There's a freshly installed Windows 2008R2 Server in my test environment. I'd like to test Windows Certification Services so I did the following:
1) installed Standalone Root CA as described here: http://technet.microsoft.com/en-us/library/cc772393.aspx#BKMK_BS1
Log on to TEST_CA_ROOT1 as an administrator.
Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.
On the Select Role Services page, select the Certification Authority check box, and then click Next.
On the Specify Setup Type page, click Standalone, and then click Next.
On the Specify CA Type page, click Root CA, and then click Next.
On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.
In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.
On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.
On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.)
2) installed CA Web Enrollment service (http://technet.microsoft.com/en-us/library/cc732895.aspx)
3) set up https bindings in IIS using Root CA certificate (this is the only one I have on my test computer after I have installed the two CA services) as described here: http://technet.microsoft.com/en-us/library/dd759140.aspx
The result: neither https://localhost nor https://localhost/certsrv is not displayed - "Internet Explorer cannot display the webpage", although HTTP://localhost/certsrv works perfect.
The qustion is: what am I doing wrong?
Thank you in advance,
29. května 2012 13:33
you have to use a "Server Authentication" certificate. You can deploy it from your stand-alone CA to your stand-alone CA server.
goto MMC / certifcates/computer
right click on personal store -> All tasks/Advanced Operations/Create Custom Request
Choose "Proceed without enrollment policy" next/next
at the certifcate information pane expand "details" next to the custem request option, click properties
add as common name the dns name of the webserver at the extentions tab/Extended key usage/add server authetication.
Expotrt the request/import the request in your CA. install the certifcate.
You can also generate a request with openssl and lat your stand-alone ca process it.
Hope this help.
29. května 2012 13:45
You need to issue a specific server authentication certificate for IIS service to bind correctly!
I would recommend using the following test lab guide http://technet.microsoft.com/en-us/library/hh831348.aspx to deploying an ADCS two tier PKI hierarchy, although the guide is part of the pre-release documentation for windows server 8/2012, the steps described can be followed as is in Windows 2008 except for the Powershell notes.
30. května 2012 7:00
rudy devries, thank you for your reply!
Yes, I understand I need a Server authentication certificate but where in the documentation specified above is the information you mentioned??? I spent many hours reading CA help, CA2008 step-by-step guide and many other articles but did not find any similar information. May you give me a link to the document where this procedure is described?
Please don't think I don't want to follow your advice (I'll try it today), I'm just very confused that I was unable to install CA having read all MS OFFICIAL documentation (at least the one I could find)...
- Upravený MF47 30. května 2012 7:00
30. května 2012 7:02
thank you for your reply.
I read the guide but again I did not find there a procedure describing ssl certificate binding (what exactly certificate should be bound to CA web enrollment server itself).
30. května 2012 7:32
To request a certificate in IIS:
- If you are using IIS 7.0, prepare a server certificate for IIS 7.0, specify a name for the request, download the certificate, and save it to a secure location on your server, see Configuring Server Certificates in IIS 7.0 http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx
- If you are using IIS 6.0, download the certificate, and save it to a secure location on your server, see Configuring Server Certificates for SSL (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ca7be648-02cb-4cf2-a7a5-56c507707114.mspx
Whenever the SSL certificate is available you can proceed with SSL binding selecting that certificate.
When ADCS is installed as a Standalone CA, you simply deal with it as with any other external CA. That means, you need to generate an offline request file and manually submit the request to ADCS.
If ADCS is installed as an Enterprise CA and the web server is member in the same domain, you can use the Create Domain Server certificate Certificate option/feature in the IIS management console.
30. května 2012 7:58..."you have to use a "Server Authentication" certificate. " - but why I can't use (at least theoretically) Root CA certificate for ssl binding - it has "All intended Purposes"???
30. května 2012 8:13Moderátor
For bind SSL to the ROOT CA, please refer the following blog:
Bind SSL to the ROOT CA
TechNet Community Support
30. května 2012 8:21
I can’t remember that this was explicitly stated in the AD CS documentation. The SSL binding is, in my opinion, IIS specific and not really pure AD CS configuration. See also http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/
In the guide “Test Lab Guide: Deploying an AD CS Two Tier PKI Hierarchy” you are gone add the “Extended Key Usage” “Server Authentication” to Issued certifcates by adding a “Application Policy” to the Certificate template. You have a stand-alone environment,so you don’t have templates and this guide doesn’t apply to you.
See step 5 and 6 of section “To configure a client server authentication certificate template for auto enrollment”
If you want to know more about basic operations of a PKI I would suggests you take a look at a simpler implementation of RFC 5280 like OpenSSL. To much automation makes it sometimes hard to understand what is really going on. See http://www.openca.org/~madwolf/ch04s03.html
30. května 2012 11:53rudy devries, thank you very much!!!
30. května 2012 11:57
Elytis Cheng, thank you!
I read this article but am a bit confused: why should I "choose generate domain certificate" if I want to bind ssl to the RootCA certificate that already exists...???
30. května 2012 11:58Hasain, thank you very much!
19. září 2012 13:17P.S. ...I just still can't understand why I can't use root CA certificate for SSL bindings on the computers with CA installed - the root CA certificate's purpose is stated as "ALL". Doesn't it includes "Server authentication"?
20. září 2012 11:54
If memory serves, the root CA certificate covers 'All issuance policies' and 'All application policies' not server authentication.
Even if you could do what you describe, you shouldn't.
The point of a PKI infrastructure is that you have the ability to revoke certificates, on the basis that anything can be compromised given enough time / resources / intent. The more things that sit under a compromised certificate, the more your infrastructure is compromised, and the more pain it is when you have to revoke.
Web servers, even internal only ones, are always one of the riskier components of your infrastructure.