When you install a certificate authority on Windows Server, you can obtain certificates manually via the "mmc" console or automatically via auto-enrollment (via GPOs).
However, you can also install the web interface of this one to be able to request certificates from a web interface.

Note that this can be installed on the same server as your CA or on another server.
However, in this tutorial, we will install it on the same server as our CA to make it easier.

1. Install your certificate authority's web interface
2. Installed certificate authority web interface
3. Create a certificate template to secure access to your CA's web interface
4. Request a certificate to secure your certificate authority's web interface
5. Secure access to your CA's web interface in HTTPS
6. Block insecure access (HTTP) to your CA's web interface
7. Request a certificate for a web server using this web interface
8. Securing the new web server

1. Install your certificate authority's web interface

To install the web interface of your certificate authority, open the server manager and click on : Add roles and features.

Choose : Role-based or feature-based installation.

Select the server where your CA is installed.
By default, there is only one.

Expand the "Active Directory Certificate Services" section and check the "Certification Authority Web Enrollment" box.

Installing this Active Directory Certificate Services role service will require the installation of a web server (IIS) to be able to access your CA's web interface.
Accept the addition of these features.

Then, click Next at each step to use the default settings.

Click Install.

Wait while installing the "Web Server (IIS)" feature required for the operation of the web interface of your certification authority.

At the bottom, you will see that the wizard will also install the "Certificate Authority Web Enrollment" role service that is part of the "Active Directory Certificate Services" role.

Once the installation is complete, click on the "Configure Active Directory Certificate Services on the destination server" link that appears.

The "AD CS Configuration" wizard will appear.
Just click Next.

Check the "Certification Authority Web Enrollment" box (which corresponds to the role service you just installed) and click Next.

As you can see, there are no settings to change.
Just click on : Configure.

The "Configuration succeeded" message appears.
Click Close.

The Add Roles and Features Wizard tells you that the Active Directory Certificate Services role services are configured.
Click Close.

2. Installed certificate authority web interface

If you open the start menu of your server, you will see that the IIS manager is present.

In this IIS Manager, you will find a Default Web Site containing 2 folders :

• CertEnroll : contains your certification authority's revocation lists. These will therefore also be accessible via the HTTP protocol (if this option is enabled in the properties of your certification authority).
• CertSrv : corresponds to the ".asp" scripts representing the web interface of your certification authority from which you can, for example, request user certificates, custom certificates (from a base 64 certificate request) or download the certification authority's certificate.

Access the web interface of your certification authority by typing the "http://[domain name of the server where it's installed]/certsrv" address.
Which gives in our case : "http://ca.informatiweb.lan/certsrv".

As you can see, by default, to access it, you will first need to authenticate.
Log in with the domain administrator account, for example. Indeed, by default, this user can enroll several types of certificates thanks to the pre-installed certificate templates. Including the one to secure web servers.

If IE Enhanced Security Configuration is enabled, you will need to click "Add" to access this web interface.

Note : IE Enhanced Security Configuration can be easily disabled from the "Local Server" section of the Server Manager.

Then, confirm the addition of this website in the "Trusted Sites" zone of Internet Explorer.

Then, the "Microsoft Active Directory Certificate Services -- [your certificate authority name]" web interface will appear.
As you can see, through this web interface, you will be able to request certificates, as well as download its certificate.

Click on the link : Request a certificate.

Then, click on : advanced certificate request.

But, as you can see, you will need to secure access to this web interface (using the HTTPS protocol) to be able to request certificates through it.

Plain Text

In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.