Install the web interface of a certificate authority (CA) on Windows Server 2016

  • Windows Server
  • AD CS
  • 3/4

5. Secure access to your CA's web interface in HTTPS

To start, select the default website "Default Web Site" in the left column, then click on "Bindings" (in the right column).

In the "Site Bindings" window that appears, click Add.

Select "https" for the site binding type.

As expected, the corresponding port is : 443.

In the "SSL certificate" list, select the newly enrolled certificate (whose common name matches your server name).
Note that the SSL certificate appears under its friendly name if it's defined or the common name (CN) defined in it if not.

You can check the selected certificate by clicking "View" if needed.
Then, click OK.

The new "https" site binding appears.
Click Close.

In the right column, click : Restart.

Access the web interface of your certification authority again using the "HTTPS" protocol instead of "HTTP" and authenticate with the same user as before.

As before, you will have to click 2 times on "Add" if IE Enhanced Security Configuration is enabled.

Then, the web interface of your certification authority will appear.

If you click on the certificate icon, you will see that your certificate authority has identified this site as [server domain name].

Note that you will only be able to access this interface securely by indicating the full name of your server.
If you provide another name (such as its NETBIOS name) or IP address, your web browser will display a warning as the name provided in the address bar doesn't match the common name (domain name of your server) found in the certificate used.

Plain Text

The security certificate presented by this website was issued for a different website's address.

6. Block insecure access (HTTP) to your CA's web interface

To avoid accessing the insecure version of your certificate authority's web interface, you can easily block insecure (HTTP) access to the default website hosting this web interface in particular.

To do this, in the IIS manager, select your "Default Web Site", then double click on "SSL Settings".

Check the "Require SSL" box, then click "Apply" (in the right column).

Note : the "Client certificates" option concerns authentication with a user certificate.
You therefore don't need to modify this setting since it's not of interest to you in this case.

Once this change has been saved, the message "The changes have been successfully saved" will appear.

Now, if you attempt to access the insecure (HTTP) version of your CA's web interface, your IIS web server will block access with an error message :

Plain Text

HTTP Error 403.4 - Forbidden.
The page you are trying to access is secured with Secure Sockets Layer (SSL).
...
The page request was made over HTTP, but the server requires the request from a secure channel that uses HTTPS.

However, if you access the secure version (HTTPS) of this web interface, you will see that it still works.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.