After the certification server has been installed, access to its web interface is only possible via http, and is thus unencrypted. To enable encrypted remote access (via https), follow these steps:
- Enable the https protocol for the web interface.
- Create a web server certificate for access to the certification server.
- Assign the web server certificate to the https protocol.
- Export the root certificate from the certification server and import it onto the computers from which you want to request certificates.
Enabling https
- Open the Internet Information Services (IIS) Manager on the certification server, and once there, select Bindings.
- Click on Add, to add the https protocol type.
- For type, select https, and enter the (local) IP address of the certification server. As the certification authority has still not generated a web server certificate, you firstly select the certification authority certificate generated by the role installer (here: Our Company-CA). Confirm with OK and Close.
Creating the web server certificate
- Use https on Internet Explorer and the local IP address to open the web interface on the certification server, for example, with
https://192.168.143.48/certsrv/
- Initially, for now, ignore the certificate error (with red background) in the address line. Select Request a certificate.
- Then select Web Browser Certificate, and, if required, confirm the security prompt with Yes.
- To complete the certificate request form, select More Options and then use the Advanced Certificate Request form. The complete form is displayed.
- Enter a name for the certificate. This must match with either one of the FQDN, the host name or the IP address of the certification server. If the name option is being used in the network, then we recommend using the FQDN or otherwise, the IP address.
- Select the following options here:
- Server Authentication Certificate
- a Cryptographic Service Provider (CSP), to enable the Hash Algorithm SHA256 to be selected
- a key size of 2048 or higher
- Mark key as exportable
- the Hash Algorithm SHA256 or higher
- Confirm with Submit.
The certificate request is confirmed.
- Now open the certification authority console on the certification server (Control Panel→ Administrative Tools→ Certification Authority), select the requested certificate in Pending Request and issue it with Issue.
- Reopen the web interface on the certification server with, for example:
https://192.168.143.48/certsrv/
- Select View the status of a pending certificate request.
- Select the certificate you just requested – generally the last one and, if necessary, confirm the security prompt with Yes.
- Select Install this certificate.
- The web server certificate will be automatically installed in the user’s local certificate store. However, it is required in the certificate store of the computer. To install it there, you have to first export it and then import it again.
- Make sure when exporting, that you also export the private key, retain the default settings for the export format and create a password that you must remember later.
- When importing, reenter the password, leave the option Include all extended properties enabled, and select Personal as the certificate store.
Assigning the web server certificate to the https protocol
- You can now assign the web server certificate to the web server’s https protocol. To do so, open the certification server’s Internet Information Services (IIS) Manager again and select Bindings.
- Select the new web server certificate as the SSL certificate. Confirm with OK and Close.
- Restart the IIS Admin Service.
Distributing the root certificate
- Export the certification authority’s root certificate from the MMC on the certification server. You can retain the default file format settings here.
- Import the root certificate to the computer from which you wish to request certificates from the certification server, without, in the process, receiving a certificate error in Internet Explorer.