Sometimes when requesting a new certificate, you may not have access to query certificate services directly by using a tool such as the MMC snap-in. Or perhaps you want to provide a way for users to be able to request certificates even while outside the office. By enabling the web services portion of the CA role, we turn on a website that runs on our CA server. This website can be accessed from inside the corporate network and could potentially even be published out to the Internet with some kind of a reverse proxy solution.
For our recipe today, let's access the web interface that is now running on the CA server where we installed the web services part of the CA role. We will use this website to request and acquire a certificate on our client computer.
Our Enterprise Root CA is a Windows Server 2016 that has the Active Directory Certificate Services role installed. When we installed and configured the role, we made sure to select the option for the web service so that we could make use of it to request a new certificate.
We do not have to be logged into the CA server directly to accomplish this work. Instead, we are logged into a new web server in our environment. From this web server, we take the following steps:
https://<CAServerName>/CertSrv/
. In our case, it is https://CA1/CertSrv/
.
Running the web service on your CA server can be beneficial because it allows another method of requesting certificates. In this recipe, we were able to very quickly pull open our CA certificate requesting webpage and walk through some simple steps. This enabled us to download a new certificate that we are planning to use with our new web server's SharePoint site.
Because our web server is inside the corporate network, we could have also accomplished this request right from the Certificates MMC console. However, if our web server had been in a different building separated by networking equipment and firewalls, this may not have been an option for us. Or if we were trying to acquire a certificate from another machine that didn't have the MMC access for one reason or another, this web service is a nice way to accomplish the same task.
3.144.110.253