When you install a certificate authority on Windows Server, you can obtain certificates manually via the "mmc" console or automatically via auto-enrollment (via GPOs).
However, you can also install the web interface of this one to be able to request certificates from a web interface.
Note that this can be installed on the same server as your CA or on another server.
However, in this tutorial, we will install it on the same server as our CA to make it easier.
To install the web interface of your certificate authority, open the server manager and click on : Add roles and features.
Choose : Role-based or feature-based installation.
Select the server where your CA is installed.
By default, there is only one.
Expand the "Active Directory Certificate Services" section and check the "Certification Authority Web Enrollment" box.
Installing this Active Directory Certificate Services role service will require the installation of a web server (IIS) to be able to access your CA's web interface.
Accept the addition of these features.
Then, click Next at each step to use the default settings.
Wait while installing the "Web Server (IIS)" feature required for the operation of the web interface of your certification authority.
At the bottom, you will see that the wizard will also install the "Certificate Authority Web Enrollment" role service that is part of the "Active Directory Certificate Services" role.
Once the installation is complete, click on the "Configure Active Directory Certificate Services on the destination server" link that appears.
The "AD CS Configuration" wizard will appear.
Just click Next.
Check the "Certification Authority Web Enrollment" box (which corresponds to the role service you just installed) and click Next.
As you can see, there are no settings to change.
Just click on : Configure.
The "Configuration succeeded" message appears.
The Add Roles and Features Wizard tells you that the Active Directory Certificate Services role services are configured.
If you open the start menu of your server, you will see that the IIS manager is present.
In this IIS Manager, you will find a Default Web Site containing 2 folders :
Access the web interface of your certification authority by typing the "http://[domain name of the server where it's installed]/certsrv" address.
Which gives in our case : "http://ca.informatiweb.lan/certsrv".
As you can see, by default, to access it, you will first need to authenticate.
Log in with the domain administrator account, for example. Indeed, by default, this user can enroll several types of certificates thanks to the pre-installed certificate templates. Including the one to secure web servers.
If IE Enhanced Security Configuration is enabled, you will need to click "Add" to access this web interface.
Note : IE Enhanced Security Configuration can be easily disabled from the "Local Server" section of the Server Manager.
Then, confirm the addition of this website in the "Trusted Sites" zone of Internet Explorer.
Then, the "Microsoft Active Directory Certificate Services -- [your certificate authority name]" web interface will appear.
As you can see, through this web interface, you will be able to request certificates, as well as download its certificate.
Click on the link : Request a certificate.
Then, click on : advanced certificate request.
But, as you can see, you will need to secure access to this web interface (using the HTTPS protocol) to be able to request certificates through it.
In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.
Windows Server 8/15/2014
Windows Server 10/20/2023
Windows Server 10/27/2023
Windows Server 9/15/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.