Active Directory Certificate Services (AD CS): Error: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication"

Active Directory Certificate Services (AD CS): Error: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication"

After you install Certification Authority Web Enrollment pages, clients may see a warning message indicating that HTTPS must be used.


Error

In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.

Cause

This happens if your web server is not configured to use secure socket layer (SSL) for the CA Web Enrollment pages.

Resolution

To resolve this issue, you must install an appropriate certificate on the web server hosting the CA Web Enrollment pages. Then, you must configure the Site Bindings for the web site to add the https port 443 binding.

return to top

Implementing SSL on a Web site in the domain with an Enterprise CA

The following example will assume that you have an Enterprise CA from which to issue certificates. Further, the assumption is that you have a Certification Authority Web Enrollment pages installed, either on that CA or on another computer in the domain. This example will walk through the steps necessary to do the following:

  1. Configure an appropriate certificate template for SSL certificates.
  2. Obtain a certificate for IIS using the certificate template
  3. Configure the HTTPS on the Default Web Site
  4. Connect to the HTTPS location for certificate enrollment

 Note

  • If you have the CA Web Enrollment pages installed on a different computer, you will also need to trust that computer for delegation.
  • To create or duplicate existing certificate templates, users only need the Create Child permission for the CN= Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot and CN=OID, CN=Public Key Services,CN=Services,CN=Configuration,DC= ForestRoot containers.
  • You can review other permission settings at Implement Role-Based Administration


return to top

Configure an appropriate certificate template for SSL certificates

  1. Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.
  2. Expand the certification authority so that you can see Certificate Templates.
  3. Right-click Certificate Templates and then click Manage. If you don't see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.
  4. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.
  5. In the General tab, under Template display name, type a name that you want to use for the template. For example, SSL Certificates.
  6. On the Security tab you must ensure the computer account has the ability to enroll for the template. To do so, click Add.
    • In Select Users, Computers, Service Accounts, or Groups, type the name of the user or group that you want to use for enrollment. Click Check Names, and then click OK.
    • Ensure that the user account or group that you want to use for enrollment is selected and then select the Allow checkbox that corresponds to the Enroll permission.
    • Click Add.
    • Click Object Types, select Computers, and then click OK.
    • Enter the name of the computer hosting the CA Web Enrollment pages. Click Check Names, and then click OK.
    • Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.
  7. On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox. (Observation: for the certificate to appear in th Certificate Web Enrollment, it will be necessary to click and choose Supply in the request, instead of Build from this Active Directory information)
  8. On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
  9. Close the Certificate Templates console and return to the Certificate Authority console.
  10. In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  11. In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.

return to top

Obtain a certificate for IIS using the certificate template

  1. On the IIS server hosting the CA Web Enrollment pages, open an MMC console. To do so, you can open a command prompt, the run dialog box, or Windows PowerShell, type mmc and then press ENTER.
  2. In the new MMC console (Console1) click File, and then click Add/Remove Snap-in.
  3. From the list of Available snap-ins, select Certificates and then click Add.
  4. Select Computer account and then click Next.
  5. In Select Computer the Local computer is selected by default. Click Finish and then click OK.
  6. Expand Certificates (Local Computer) and then right-click Personal. Click All Tasks, and then click Request New Certificate.
  7. On the Certificate Enrollment wizard, click Next.
  8. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and then click Next.
  9. On Certificate Enrollment, click Enroll. Click Finish.

return to top

Configure HTTPS on the Default Web Site

  1. On the IIS server hosting the CA Web Enrollment pages, open the Internet Information Services (IIS) Manager.
  2. Expand the server and Sites nodes until you can see Default Web Site.
  3. Click Default Web Site.
  4. On the Actions pane, click Bindings.
  5. In Site Bindings, click Add.
  6. In Add Site Binding, set Type to https.
  7. Set SSL certificate to the certificate that you issued to the server. You can confirm you have the correct certificate by clicking View. The certificate's purpose should be Ensures the identity of a remote computer. To further verify, you can click the Details tab of the certificate. Select Enhanced Key Usage and ensure that it reads Server Authentication (1.3.6.1.5.5.7.3.1). Click OK.
  8. On Add Site Binding, click OK. On Site Bindings, click Close.

return to top

Connect to the HTTPS location for certificate web enrollment

Instead of using the former http://servername/certsrv location, you must connect to https://servername/certsrv to request a certificate.

return to top

Additional Resources

See the following resources for more information on using CA Web Enrollment pages and HTTPS on Internet Information Server
 
 Note
To comment on this content or ask questions about the information presented here, please use our Feedback guidance.
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ref Your: Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.

    Where can I find EXACTLY what appropriate credentials are required. I don't see duplicate template option

  • To see the "duplicate template option" do as suggested in step 3 and I quote "If you don't see these options, then run the following command: certtmpl.msc to open the Certificate Templates console."

  • On section "Obtain a certificate for IIS using the certificate template" t Step 8, I don't see the Certificate Enrollment Policy page, instead, I see the Request Certificates page, which has the SSL Certifcates template which I created in the above section. Could you advise what I am missing here?

  • It worked for me. Thanks for clear explanation.

  • There is missed step in "Obtain a certificate for IIS using the certificate template" after step 8. Before clicking "Enroll" you have to select checkbox with your certificate template.

  • On section "Configure HTTPS on the Default Web Site", Step 8, when I click OK I've got a message "The specified port is being used by a different binding". So I think I have to edit that binding instead of creating a new one, but I am not sure what behavior is expected by doing that.

  • thanks

Page 1 of 1 (7 items)