Hey guys, My organization has two servers on the domain for certificate purposes. A Root CA server, and an Enterprise CA server. We have various web interfaces for our servers and other devices that we log into (e.g. https://computername.domain or https://IP_ADDRESS). For all of these, though, we have to accept the "continue to this website (not recommended" page. What I need to know are the steps to take to make these websites automatically trusted for our users. This page scares users. Is there a way to do this without using a GPO to alter every local workstation?

Hi, Thanks for your post. In IIS Manager, please make sure the Default Web Site https binding has a certificate that is valid with a private key present. You do this by right-clicking on Default Web Site in the left pane and choosing Edit bindings, select https and click Edit, then select certificate (if necessary) and click View to check if there is a private key. For the certificate, you can easily issue a computer template certificate for server from the trust CA. So https://computername.domain will be trusted by users. However, for directly using IP address, you may need to add the IP address to the Subject Alternative Name attribute, known as SAN certificate. Best Regards, AidenAiden Cao TechNet Community Support

Hi, Thanks for your post. In IIS Manager, please make sure the Default Web Site https binding has a certificate that is valid with a private key present. You do this by right-clicking on Default Web Site in the left pane and choosing Edit bindings, select https and click Edit, then select certificate (if necessary) and click View to check if there is a private key. For the certificate, you can easily issue a computer template certificate for server from the trust CA. So https://computername.domain will be trusted by users. However, for directly using IP address, you may need to add the IP address to the Subject Alternative Name attribute, known as SAN certificate. Best Regards, AidenAiden Cao TechNet Community Support

Thank you. This is all great, but do you have any links that can help me accomplish this? I need to do a little research. We mostly access our servers' web interfaces via IP address, so I guess I'm going to have to go the SAN certificate route. And then once I get that certificate, where do I import it in order to have all computers on the internal domain trust it?

Hi, For web server, I would recommend that we using host head rather than IP address. Make sure the name resolution completed by DNS server. And the SAN certificate is complex to deployment. With FQDN of web server, we just need a computer certificate issued by the enterprise CA. For client want to access the web without warning, make sure all client trust the enterprise CA issue the certificate. If the client computer is domain joined, the CA was already trust. For other client, you need manually import the CA certificate to Trusted Root Certificate Authorities container. Best Regards, AidenAiden Cao TechNet Community Support

Hi, For web server, I would recommend that we using host head rather than IP address. Make sure the name resolution completed by DNS server. And the SAN certificate is complex to deployment. With FQDN of web server, we just need a computer certificate issued by the enterprise CA. For client want to access the web without warning, make sure all client trust the enterprise CA issue the certificate. If the client computer is domain joined, the CA was already trust. For other client, you need manually import the CA certificate to Trusted Root Certificate Authorities container. Best Regards, AidenAiden Cao TechNet Community Support

Can you please provide more information or a link that will tell me how to issue a certificate by the enterprise CA for a certain FQDN web server and port?

Can you please provide more information or a link that will tell me how to issue a certificate by the enterprise CA for a certain FQDN web server and port?

Hi, You may refer to the following steps: Click Start, click Run, type mmc in the Open text box, and then click OK.In the Console1 window, click the File menu and then click Add/Remove Snap-in.In the Add or Remove Snap-in dialog box, select Certificates, and then click Add.On the Certificates snap-in page, select Computer account, and then click Next.On the Select Computer page, select Local computer, and then click Finish.In the Add or Remove Snap-in dialog box, click OK.In the console tree, expand the Certificates (Local Computer) node, expand Personal.On the Action menu, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard. Choose a Certificate template with Server Authentication. Computer template is enough. Then, finish the Wizard. In the IIS manager console, binding the certificate to the HTTPS web site. Best Regards, AidenAiden Cao TechNet Community Support

Hi, You may refer to the following steps: Click Start, click Run, type mmc in the Open text box, and then click OK.In the Console1 window, click the File menu and then click Add/Remove Snap-in.In the Add or Remove Snap-in dialog box, select Certificates, and then click Add.On the Certificates snap-in page, select Computer account, and then click Next.On the Select Computer page, select Local computer, and then click Finish.In the Add or Remove Snap-in dialog box, click OK.In the console tree, expand the Certificates (Local Computer) node, expand Personal.On the Action menu, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard. Choose a Certificate template with Server Authentication. Computer template is enough. Then, finish the Wizard. In the IIS manager console, binding the certificate to the HTTPS web site. Best Regards, AidenAiden Cao TechNet Community Support

Do I do all this on the enterprise CA server? Or do I have to do some of these steps on the actual web server for which I want the domain to trust?

Do I do all this on the enterprise CA server? Or do I have to do some of these steps on the actual web server for which I want the domain to trust?

Hi, On the web server. Best Regards, AidenAiden Cao TechNet Community Support

Hi, On the web server. Best Regards, AidenAiden Cao TechNet Community Support

Aiden. The web server is a TMG server, so I had to alter some settings in the TMG configuration and create a new rule to allow all proper traffic needed to request a cert. Otherwise, your solution worked. Thank you very much. For reference on what I had to alter in TMG: http://www.microsoftnow.com/2010/02/rpc-server-is-unavailable-error-when-requesting-a-certificate.html