Domain Certificate Infrastructure
Hey guys,
My organization has two servers on the domain for certificate purposes. A Root CA server, and an Enterprise CA server. We have various web interfaces for our servers and other devices that we log into (e.g. https://computername.domain or https://IP_ADDRESS).
For all of these, though, we have to accept the "continue to this website (not recommended" page. What I need to know are the steps to take to make these websites automatically trusted for our users. This page scares users.
Is there a way to do this without using a GPO to alter every local workstation?
July 26th, 2012 1:52pm
Hi,
Thanks for your post.
In IIS Manager, please make sure the Default Web Site https binding has a certificate that is valid with a private key present. You do this by right-clicking on Default Web Site in the left pane and choosing Edit bindings, select https and click Edit, then
select certificate (if necessary) and click View to check if there is a private key. For the certificate, you can easily issue a computer template certificate for server from the trust CA. So
https://computername.domain will be trusted by users. However, for directly using IP address, you may need to add the IP address to the Subject Alternative Name attribute, known as SAN certificate.
Best Regards,
AidenAiden Cao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2012 3:20am
Hi,
Thanks for your post.
In IIS Manager, please make sure the Default Web Site https binding has a certificate that is valid with a private key present. You do this by right-clicking on Default Web Site in the left pane and choosing Edit bindings, select https and click Edit, then
select certificate (if necessary) and click View to check if there is a private key. For the certificate, you can easily issue a computer template certificate for server from the trust CA. So
https://computername.domain will be trusted by users. However, for directly using IP address, you may need to add the IP address to the Subject Alternative Name attribute, known as SAN certificate.
Best Regards,
AidenAiden Cao
TechNet Community Support
July 27th, 2012 3:25am
Thank you. This is all great, but do you have any links that can help me accomplish this? I need to do a little research. We mostly access our servers' web interfaces via IP address, so I guess I'm going to have to go the SAN certificate route. And then
once I get that certificate, where do I import it in order to have all computers on the internal domain trust it?
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 3:37pm
Hi,
For web server, I would recommend that we using host head rather than IP address. Make sure the name resolution completed by DNS server. And the SAN certificate is complex to deployment. With FQDN of web server, we just need a computer certificate issued
by the enterprise CA. For client want to access the web without warning, make sure all client trust the enterprise CA issue the certificate. If the client computer is domain joined, the CA was already trust. For other client, you need manually import the CA
certificate to Trusted Root Certificate Authorities container.
Best Regards,
AidenAiden Cao
TechNet Community Support
July 31st, 2012 3:28am
Hi,
For web server, I would recommend that we using host head rather than IP address. Make sure the name resolution completed by DNS server. And the SAN certificate is complex to deployment. With FQDN of web server, we just need a computer certificate issued
by the enterprise CA. For client want to access the web without warning, make sure all client trust the enterprise CA issue the certificate. If the client computer is domain joined, the CA was already trust. For other client, you need manually import the CA
certificate to Trusted Root Certificate Authorities container.
Best Regards,
AidenAiden Cao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 3:30am
Can you please provide more information or a link that will tell me how to issue a certificate by the enterprise CA for a certain FQDN web server and port?
August 2nd, 2012 1:32pm
Can you please provide more information or a link that will tell me how to issue a certificate by the enterprise CA for a certain FQDN web server and port?
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2012 1:33pm
Hi,
You may refer to the following steps:
Click Start, click Run, type mmc in the
Open text box, and then click OK.In the Console1 window, click the File menu and then click
Add/Remove Snap-in.In the Add or Remove Snap-in dialog box, select Certificates, and then click
Add.On the Certificates snap-in page, select Computer account, and then click
Next.On the Select Computer page, select Local computer, and then click
Finish.In the Add or Remove Snap-in dialog box, click OK.In the console tree, expand the Certificates (Local Computer) node, expand
Personal.On the Action menu, point to All Tasks, and then click
Request New Certificate to start the Certificate Request Wizard.
Choose a Certificate template with Server Authentication.
Computer template is enough. Then, finish the Wizard. In the IIS manager console, binding the certificate to the HTTPS web site.
Best Regards,
AidenAiden Cao
TechNet Community Support
August 3rd, 2012 4:15am
Hi,
You may refer to the following steps:
Click Start, click Run, type mmc in the
Open text box, and then click OK.In the Console1 window, click the File menu and then click
Add/Remove Snap-in.In the Add or Remove Snap-in dialog box, select Certificates, and then click
Add.On the Certificates snap-in page, select Computer account, and then click
Next.On the Select Computer page, select Local computer, and then click
Finish.In the Add or Remove Snap-in dialog box, click OK.In the console tree, expand the Certificates (Local Computer) node, expand
Personal.On the Action menu, point to All Tasks, and then click
Request New Certificate to start the Certificate Request Wizard.
Choose a Certificate template with Server Authentication.
Computer template is enough. Then, finish the Wizard. In the IIS manager console, binding the certificate to the HTTPS web site.
Best Regards,
AidenAiden Cao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2012 4:17am
Do I do all this on the enterprise CA server? Or do I have to do some of these steps on the actual web server for which I want the domain to trust?
August 6th, 2012 11:12am
Do I do all this on the enterprise CA server? Or do I have to do some of these steps on the actual web server for which I want the domain to trust?
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2012 11:12am
Hi,
On the web server.
Best Regards,
AidenAiden Cao
TechNet Community Support
August 6th, 2012 7:59pm
Hi,
On the web server.
Best Regards,
AidenAiden Cao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2012 7:59pm
Aiden. The web server is a TMG server, so I had to alter some settings in the TMG configuration and create a new rule to allow all proper traffic needed to request a cert. Otherwise, your solution worked. Thank you very much.
For reference on what I had to alter in TMG: http://www.microsoftnow.com/2010/02/rpc-server-is-unavailable-error-when-requesting-a-certificate.html
August 6th, 2012 10:25pm