Using MMC to request a new certificate

The most common way that I see administrators interface with the certificates on their systems is through the MMC snap-in tool. MMC is short for Microsoft Management Console, and by using MMC, you can administer just about anything in the operating system. Though this is perhaps a greatly underutilized tool, I only generally see it being opened for a few select tasks. Requesting certificates is one of those tasks.

We are going to use the MMC console on a new server that we have in our network. There is a new certificate template that has been created, and we would like to issue one of these certificates to our new web server.

Getting ready

A Server 2016 Enterprise Root CA server is online and running in our network. On it, we have configured a new certificate template called IPsec Certificate. The steps have been taken to publish this template so that it may be requested from computers in our network. We are now working from a brand new web server that is also running Server 2016 and joined to our domain, where we are going to accomplish the work of manually requesting a certificate from the CA server.

How to do it…

Follow these steps to request a new certificate using the MMC console:

  1. Open Command Prompt on our new web server and type mmc. Then press Enter. Alternatively, you could open MMC from the Start screen.
  2. Now inside the MMC console, click on the File menu, then on Add/Remove Snap-in….
  3. Choose Certificates from the list of available snap-ins and click on the Add button. This will bring a new window with some more choices about the certificates snap-in.
  4. First, we need to choose whether we are opening the user certificate repository or the Computer certificate repository. I don't generally see service account used in the field. The selection here will depend on what type of certificate you are requesting. For our example, we are looking for an IPsec certificate, which needs to go in the Computer container. Choose Computer account and click Finish.

    How to do it…

  5. Leave the next option set on the Local computer and click Finish again.
  6. Click OK.
  7. There are also MSC launchers that can be utilized to bring you into the certificate stores even faster. Make use of these by navigating to Start | Run or Command Prompt and type the following commands:
    • CERTMGR.MSC opens user certificates
    • CERTLM.MSC opens computer certificates

  8. Now back inside the main MMC console, expand Certificates (Local Computer) and select the Personal folder. You can see that there are currently no certificates installed here.
  9. Right-click on the Personal folder and navigate to All Tasks | Request New Certificate….

    How to do it…

  10. Click Next.
  11. On the Select Certificate Enrollment Policy screen, Active Directory Enrollment Policy is automatically selected. Simply click Next again to go on to the next screen.
  12. Now we see a list of certificate templates that are available to us. Check the boxes for the certificates that you want to request and click Enroll.

    How to do it…

Tip

If you are expecting to see a particular template here but it doesn't show up in the list, click on Show all templates. This will display a list of all templates on the CA server and give an explanation for each as to why it is not currently available. This can help for troubleshooting purposes.

How it works…

Utilizing the MMC console is a quick and easy way to request new certificates to be issued manually. In an Active Directory environment, any certificate template on the CA server that you have permissions to enroll will be visible and easy to enroll. Our example today displayed the enrollment process for a machine certificate that we are planning to use in the future for IPsec authentication. However, there are many cases where you may want to issue user-level certificates, rather than computer certificates. In those cases, you would want to snap-in the User account certificates, where in our example, we defined computer account certificates.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.162.21