Hello! There's a freshly installed Windows 2008R2 Server in my test environment. I'd like to test Windows Certification Services so I did the following: 1) installed Standalone Root CA as described here: http://technet.microsoft.com/en-us/library/cc772393.aspx#BKMK_BS1 ( Log on to TEST_CA_ROOT1 as an administrator. Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. On the Select Role Services page, select the Certification Authority check box, and then click Next. On the Specify Setup Type page, click Standalone, and then click Next. On the Specify CA Type page, click Root CA, and then click Next. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.) 2) installed CA Web Enrollment service (http://technet.microsoft.com/en-us/library/cc732895.aspx) 3) set up https bindings in IIS using Root CA certificate (this is the only one I have on my test computer after I have installed the two CA services) as described here: http://technet.microsoft.com/en-us/library/dd759140.aspx The result: neither https://localhost nor https://localhost/certsrv is not displayed - "Internet Explorer cannot display the webpage", although HTTP://localhost/certsrv works perfect. The qustion is: what am I doing wrong? Thank you in advance, Michael

you have to use a "Server Authentication" certificate. You can deploy it from your stand-alone CA to your stand-alone CA server. goto MMC / certifcates/computer right click on personal store -> All tasks/Advanced Operations/Create Custom Request Choose "Proceed without enrollment policy" next/next at the certifcate information pane expand "details" next to the custem request option, click properties add as common name the dns name of the webserver at the extentions tab/Extended key usage/add server authetication. Expotrt the request/import the request in your CA. install the certifcate. You can also generate a request with openssl and lat your stand-alone ca process it. Hope this help.

You need to issue a specific server authentication certificate for IIS service to bind correctly! I would recommend using the following test lab guide http://technet.microsoft.com/en-us/library/hh831348.aspx to deploying an ADCS two tier PKI hierarchy, although the guide is part of the pre-release documentation for windows server 8/2012, the steps described can be followed as is in Windows 2008 except for the Powershell notes. /Hasain

rudy devries, thank you for your reply! Yes, I understand I need a Server authentication certificate but where in the documentation specified above is the information you mentioned??? I spent many hours reading CA help, CA2008 step-by-step guide and many other articles but did not find any similar information. May you give me a link to the document where this procedure is described? Please don't think I don't want to follow your advice (I'll try it today), I'm just very confused that I was unable to install CA having read all MS OFFICIAL documentation (at least the one I could find)...

thank you for your reply. I read the guide but again I did not find there a procedure describing ssl certificate binding (what exactly certificate should be bound to CA web enrollment server itself).

To request a certificate in IIS: If you are using IIS 7.0, prepare a server certificate for IIS 7.0, specify a name for the request, download the certificate, and save it to a secure location on your server, see Configuring Server Certificates in IIS 7.0 http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspxIf you are using IIS 6.0, download the certificate, and save it to a secure location on your server, see Configuring Server Certificates for SSL (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ca7be648-02cb-4cf2-a7a5-56c507707114.mspx Whenever the SSL certificate is available you can proceed with SSL binding selecting that certificate. When ADCS is installed as a Standalone CA, you simply deal with it as with any other external CA. That means, you need to generate an offline request file and manually submit the request to ADCS. If ADCS is installed as an Enterprise CA and the web server is member in the same domain, you can use the Create Domain Server certificate Certificate option/feature in the IIS management console. /Hasain

..."you have to use a "Server Authentication" certificate. " - but why I can't use (at least theoretically) Root CA certificate for ssl binding - it has "All intended Purposes"???

Hi, For bind SSL to the ROOT CA, please refer the following blog: Bind SSL to the ROOT CA http://blogs.technet.com/b/ronyyasmine/archive/2010/09/12/bind-ssl-to-the-root-ca.aspx Best Regards Elytis ChengElytis Cheng TechNet Community Support

I cant remember that this was explicitly stated in the AD CS documentation. The SSL binding is, in my opinion, IIS specific and not really pure AD CS configuration. See also http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/ In the guide Test Lab Guide: Deploying an AD CS Two Tier PKI Hierarchy you are gone add the Extended Key Usage Server Authentication to Issued certifcates by adding a Application Policy to the Certificate template. You have a stand-alone environment,so you dont have templates and this guide doesnt apply to you. See step 5 and 6 of section To configure a client server authentication certificate template for auto enrollment If you want to know more about basic operations of a PKI I would suggests you take a look at a simpler implementation of RFC 5280 like OpenSSL. To much automation makes it sometimes hard to understand what is really going on. See http://www.openca.org/~madwolf/ch04s03.html

rudy devries, thank you very much!!!

Elytis Cheng, thank you! I read this article but am a bit confused: why should I "choose generate domain certificate" if I want to bind ssl to the RootCA certificate that already exists...???

Hasain, thank you very much!