• Windows Server
  • AD CS
  • 1/5

Thanks to your certification authority, you will be able to generate valid SSL certificates to secure your different IIS web servers.

  1. Installing the IIS web server
  2. Create a new certificate template for the IIS web server
  3. Request certificate for the IIS web server from mmc console
  4. Request a certificate for the IIS web server via your certificate authority's web interface
    1. Create a certificate request from IIS Manager
    2. Request a certificate from your CA's web interface
    3. Complete the certificate request from your IIS web server
  5. Securing a website on IIS
  6. Common problems
    1. Incorrect name in secure website address (in HTTPS)
    2. The certificate was not issued by a trusted certificate authority
  7. Block insecure (HTTP) access to your website
  8. Redirect HTTP version to HTTPS version on IIS
    1. Add support for URL rewriting on IIS
    2. Redirect HTTP version to HTTPS version via URL rewriting
    3. Testing HTTP to HTTPS redirection

1. Installing the IIS web server

In our case, we have installed the "Web Server (IIS)" role on our "WEB" server linked to our Active Directory domain "informatiweb.lan".

Once this role is installed, you will be able to access IIS Manager from this server.

Since our web server is joined to our Active Directory domain, it already has a DNS domain name (automatically configured on our local DNS server).

To check it or to create it if this server is not joined to an Active Directory domain in your case, open the DNS manager on your local DNS server (or more often your Active Directory domain controller).

As you can see, a DNS record already exists in our case for our web server.
This will allow us to create a certificate that will be valid for this domain name (web.informatiweb.lan).

2. Create a new certificate template for the IIS web server

To start, you will need to create a new certificate template on which you will add the necessary rights so that you can request a certificate for your server from its mmc console.
To do this, launch the "Certification Authority" console and right-click "Manage" on "Certificate Templates".

Duplicate the "Web Server" certificate template.

In the "General" tab, specify a new name for this new certificate template.
For example : Web Server v2.

Note : publication of the certificate in the Active Directory is not useful since the certificate will only be used on a single server.

In the "Request Handling" tab, check the "Allow private key to be exported" box to be able to later export the certificate and its private key from the mmc console (for example), if you wish.

In the "Security" tab, you will see that domain administrators have the right to enroll certificates using this certificate template.
However, since it's your server that will perform the certificate request, it must also have the right to enroll certificates.
To do this, click on : Add.

By default, the window that appears allows you to select users, groups, or built-in security principals.
If you wish to authorize specific servers and/or computers, you must first click on : Object Types.

Check the "Computers" box and click OK.

Specify the name of the server or computer to authorize, then click OK.

If you wish, you could also authorize a group in which you have previously placed all your web servers.

In a test environment, you could authorize the "Domain Computers" group to allow all your servers and computers to request certificates.

Give "Read" and "Enroll" permissions to this server (or computer or group) so that your web server can request a certificate using this certificate template.

In the "Extensions" tab, you will see that the intended application policy is : Server Authentication.

In the "Subject Name" tab, leave the "Supply in the request" option selected.

This will allow you to create a certificate request from the IIS manager of your IIS server and submit it to your certificate authority.
This will also allow you to manually provide the domain name to use as the common name for your certificates.
This is useful when you want to host several sites with different domains on the same IIS web server.

Click OK.

Your new certificate template has been created.

To be able to request certificates using this new certificate template, you must first add it to the list of certificate templates to be issued.
To do this, right-click on "Certificate Templates" and click on : New -> Certificate Template to Issue.

Select your new certificate template from the list (in our case : Web Server v2) and click OK.

Your new certificate template appears in the list.

To see also

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.