Menu
InformatiWeb Pro
  • Index
  • System admin
  • Virtualization

Login

Registration Password lost ?
FR
  • Windows Server
    • WMS 2012
    • WS2012 R2
    • WS2016
  • Citrix
    • Citrix NetScaler Gateway
    • Citrix XenApp / XenDesktop
    • Citrix XenServer
  • VMware
    • VMware ESXi
    • VMware vSphere
    • VMware Workstation
  • Microsoft
    • Hyper-V
  • RAID
    • Adaptec SmartRAID
  • UPS
    • APC Back-UPS Pro
  • InformatiWeb Pro
  • System admin
  • Windows Server
  • Courses
  • Learn how to use Active Directory Certificate Services (AD CS) on WS 2016
  • Install the web interface of a CA
5 / 21
  • Install and configure a root CA and a secondary CA
  • Securing an IIS web server
  • Windows Server
  • 06 October 2023 at 08:40 UTC
  • InformatiWeb
  • 1/4

Install the web interface of a certificate authority (CA) on Windows Server 2016

When you install a certificate authority on Windows Server, you can obtain certificates manually via the "mmc" console or automatically via auto-enrollment (via GPOs).
However, you can also install the web interface of this one to be able to request certificates from a web interface.

Note that this can be installed on the same server as your CA or on another server.
However, in this tutorial, we will install it on the same server as our CA to make it easier.

  1. Install your certificate authority's web interface
  2. Installed certificate authority web interface
  3. Create a certificate template to secure access to your CA's web interface
  4. Request a certificate to secure your certificate authority's web interface
  5. Secure access to your CA's web interface in HTTPS
  6. Block insecure access (HTTP) to your CA's web interface
  7. Request a certificate for a web server using this web interface
  8. Securing the new web server

1. Install your certificate authority's web interface

To install the web interface of your certificate authority, open the server manager and click on : Add roles and features.

Choose : Role-based or feature-based installation.

Select the server where your CA is installed.
By default, there is only one.

Expand the "Active Directory Certificate Services" section and check the "Certification Authority Web Enrollment" box.

Installing this Active Directory Certificate Services role service will require the installation of a web server (IIS) to be able to access your CA's web interface.
Accept the addition of these features.

Then, click Next at each step to use the default settings.

Click Install.

Wait while installing the "Web Server (IIS)" feature required for the operation of the web interface of your certification authority.

At the bottom, you will see that the wizard will also install the "Certificate Authority Web Enrollment" role service that is part of the "Active Directory Certificate Services" role.

Once the installation is complete, click on the "Configure Active Directory Certificate Services on the destination server" link that appears.

The "AD CS Configuration" wizard will appear.
Just click Next.

Check the "Certification Authority Web Enrollment" box (which corresponds to the role service you just installed) and click Next.

As you can see, there are no settings to change.
Just click on : Configure.

The "Configuration succeeded" message appears.
Click Close.

The Add Roles and Features Wizard tells you that the Active Directory Certificate Services role services are configured.
Click Close.

2. Installed certificate authority web interface

If you open the start menu of your server, you will see that the IIS manager is present.

In this IIS Manager, you will find a Default Web Site containing 2 folders :

  • CertEnroll : contains your certification authority's revocation lists. These will therefore also be accessible via the HTTP protocol (if this option is enabled in the properties of your certification authority).
  • CertSrv : corresponds to the ".asp" scripts representing the web interface of your certification authority from which you can, for example, request user certificates, custom certificates (from a base 64 certificate request) or download the certification authority's certificate.

Access the web interface of your certification authority by typing the "http://[domain name of the server where it's installed]/certsrv" address.
Which gives in our case : "http://ca.informatiweb.lan/certsrv".

As you can see, by default, to access it, you will first need to authenticate.
Log in with the domain administrator account, for example. Indeed, by default, this user can enroll several types of certificates thanks to the pre-installed certificate templates. Including the one to secure web servers.

If IE Enhanced Security Configuration is enabled, you will need to click "Add" to access this web interface.

Note : IE Enhanced Security Configuration can be easily disabled from the "Local Server" section of the Server Manager.

Then, confirm the addition of this website in the "Trusted Sites" zone of Internet Explorer.

Then, the "Microsoft Active Directory Certificate Services -- [your certificate authority name]" web interface will appear.
As you can see, through this web interface, you will be able to request certificates, as well as download its certificate.

Click on the link : Request a certificate.

Then, click on : advanced certificate request.

But, as you can see, you will need to secure access to this web interface (using the HTTPS protocol) to be able to request certificates through it.

Plain Text

In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.

Next page

Share this tutorial

Partager
Tweet

To see also

  • SafeNet Authentication Client (SAC) - Installation and overview

    Articles 1/26/2024

    SafeNet Authentication Client (SAC) - Installation and overview

  • What is encryption and how does it work ?

    Articles 9/8/2023

    What is encryption and how does it work ?

  • WS 2016 - AD CS - Backup and restore a certificate authority (CA)

    Windows Server 12/29/2023

    WS 2016 - AD CS - Backup and restore a certificate authority (CA)

  • WS 2016 - AD CS - Buy smart cards and log in via them

    Windows Server 1/19/2024

    WS 2016 - AD CS - Buy smart cards and log in via them

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

  • Software (System admin)
  • Linux softwares
  • Our programs
  • Terms and conditions
  • Share your opinion

Contact

  • Guest book
  • Technical support
  • Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.