Securing an IIS web server on Windows Server 2016 - Windows Server - Tutorials

Thanks to your certification authority, you will be able to generate valid SSL certificates to secure your different IIS web servers.

1. Installing the IIS web server

In our case, we have installed the "Web Server (IIS)" role on our "WEB" server linked to our Active Directory domain "informatiweb.lan".

Once this role is installed, you will be able to access IIS Manager from this server.

Since our web server is joined to our Active Directory domain, it already has a DNS domain name (automatically configured on our local DNS server).

To check it or to create it if this server is not joined to an Active Directory domain in your case, open the DNS manager on your local DNS server (or more often your Active Directory domain controller).

As you can see, a DNS record already exists in our case for our web server.
This will allow us to create a certificate that will be valid for this domain name (web.informatiweb.lan).

2. Create a new certificate template for the IIS web server

To start, you will need to create a new certificate template on which you will add the necessary rights so that you can request a certificate for your server from its mmc console.
To do this, launch the "Certification Authority" console and right-click "Manage" on "Certificate Templates".

Duplicate the "Web Server" certificate template.

In the "General" tab, specify a new name for this new certificate template.
For example : Web Server v2.

Note : publication of the certificate in the Active Directory is not useful since the certificate will only be used on a single server.

In the "Request Handling" tab, check the "Allow private key to be exported" box to be able to later export the certificate and its private key from the mmc console (for example), if you wish.

In the "Security" tab, you will see that domain administrators have the right to enroll certificates using this certificate template.
However, since it's your server that will perform the certificate request, it must also have the right to enroll certificates.
To do this, click on : Add.

By default, the window that appears allows you to select users, groups, or built-in security principals.
If you wish to authorize specific servers and/or computers, you must first click on : Object Types.

Check the "Computers" box and click OK.

Specify the name of the server or computer to authorize, then click OK.

If you wish, you could also authorize a group in which you have previously placed all your web servers.

In a test environment, you could authorize the "Domain Computers" group to allow all your servers and computers to request certificates.

Give "Read" and "Enroll" permissions to this server (or computer or group) so that your web server can request a certificate using this certificate template.

In the "Extensions" tab, you will see that the intended application policy is : Server Authentication.

In the "Subject Name" tab, leave the "Supply in the request" option selected.

This will allow you to create a certificate request from the IIS manager of your IIS server and submit it to your certificate authority.
This will also allow you to manually provide the domain name to use as the common name for your certificates.
This is useful when you want to host several sites with different domains on the same IIS web server.

Click OK.

Your new certificate template has been created.

To be able to request certificates using this new certificate template, you must first add it to the list of certificate templates to be issued.
To do this, right-click on "Certificate Templates" and click on : New -> Certificate Template to Issue.

Select your new certificate template from the list (in our case : Web Server v2) and click OK.

Your new certificate template appears in the list.