Using the web interface to request a new certificate

Sometimes when requesting a new certificate, you may not have access to query certificate services directly by using a tool such as the MMC snap-in. Or perhaps you want to provide a way for users to be able to request certificates even while outside the office. By enabling the web services portion of the CA role, we turn on a website that runs on our CA server. This website can be accessed from inside the corporate network and could potentially even be published out to the Internet with some kind of a reverse proxy solution.

For our recipe today, let's access the web interface that is now running on the CA server where we installed the web services part of the CA role. We will use this website to request and acquire a certificate on our client computer.

Getting ready

Our Enterprise Root CA is a Windows Server 2016 that has the Active Directory Certificate Services role installed. When we installed and configured the role, we made sure to select the option for the web service so that we could make use of it to request a new certificate.

How to do it…

We do not have to be logged into the CA server directly to accomplish this work. Instead, we are logged into a new web server in our environment. From this web server, we take the following steps:

  1. Open Internet Explorer and browse to https://<CAServerName>/CertSrv/. In our case, it is https://CA1/CertSrv/.

    How to do it…

    Tip

    Make sure you specify to access the site using HTTPS or you will not be allowed to finish requesting a certificate later during the wizard.

  2. Click on Request a certificate.
  3. You will see there is a pre-built request in there for acquiring a user certificate. For one of those, you simply click on that link, then click Submit on the next screen. However, to dig a little deeper with our recipe, we are going to request an SSL certificate, not a user certificate. To start the process, click on advanced certificate request.
  4. Choose Create and submit a request to this CA.
  5. Click Yes if prompted with the following message:

    How to do it…

  6. Choose the Certificate Template that you would like to use in order to accomplish your certificate request. On my Root CA server where the web services are installed, I set up a new template, which I duplicated from the Web Server template with my specific certificate requirements. I called this template Custom Web Server and have published it to be available for enrollment.
  7. Because this is an SSL certificate, I need to populate the regularly requested information. My website name and company contact info is entered here.
  8. The rest of the options available to change are already configured as I want them to be. This is because when I set up my Custom Web Server template, I already specified all of these item defaults. Here is my request:

    How to do it…
  9. Click Submit.
  10. Your browser will spin for a minute while the CA server creates the new certificate based on the information that you entered. When it is finished, you should have a link to click on called Install this certificate. Go ahead and click that link.

    How to do it…

How it works…

Running the web service on your CA server can be beneficial because it allows another method of requesting certificates. In this recipe, we were able to very quickly pull open our CA certificate requesting webpage and walk through some simple steps. This enabled us to download a new certificate that we are planning to use with our new web server's SharePoint site.

Because our web server is inside the corporate network, we could have also accomplished this request right from the Certificates MMC console. However, if our web server had been in a different building separated by networking equipment and firewalls, this may not have been an option for us. Or if we were trying to acquire a certificate from another machine that didn't have the MMC access for one reason or another, this web service is a nice way to accomplish the same task.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.110.253