Windows 2003 Certificate Authority Setup

In order for this to work correctly, you need Active Directory installed and configured. You can still set up certificates on IIS without Active Directory (abbreviated: AD), but when you try to access the encrypted web page from a client computer, the web browser will complain. It will say something about the certificate being issued by an unknown authority. Don’t worry about this (for now), but your clients might. That’s normal since your web browser does not have your “makeshift” CA’s public key or certificate in their Certificate Store.

(Remember that the certificate is signed with third-party’s private key. It has to be then decrypted using their public key (most big certificate companies have their public keys embedded in the web browser. Once it is decrypted, it will show that the public key of the website is valid and belongs to them.)

Either way, whether it complains or not, the encryption will still be on, but your browser might not trust it.

Step 1: IIS service installation

  1. Click Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components
  2. Click Application Server on the window that pops up.
  3. Follow the wizard, it will probably ask you for the CD. If it complains that it cannot find some file on the CD, click Browse and look for the file on the CD. Hit Retry then.
  4. Once the installation ends, go to Start > Administrative Tools > Internet Information Services (IIS) Manager. There you should have the web sites and the ftp sites folders on the side of the window on which you will do most of your work.

Step 2: Certificate Authority Installation

  1. Click Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components
  2. Click Certificate Services on the window that pops up.
  3. You will most likely get a warning about domain membership. Click Yes.
  4. When you hit the CA Type window, choose Enterprise root CA. Click Next.
  5. CA Identifying Information: Just type in the server name for the Common name
  6. When you hit the Certificate Database Settings window, click Next.
  7. It’ll ask you to stop IIS, click yes, then click Finish once the installation finishes up

To access the Certificate Authority, go to the Administrative Tools. You can also access it through the Microsoft Management Console snap-ins, also known as mmc (Start > Run > mmc).

Step 3: Creating the certificate on the web server

  1. Open up the Internet Information Services (IIS) Manager from the Administrative Tools. By now you should know how to get there.
  2. Expand the Web Sites folder on the left side. Right click the Default Web Site. Go to Properties.
  3. Go to the Directory Security tab in the window that pops up.
  4. Go to the Server Certificate button and click on it. A wizard pops up, start following.
  5. Choose Create a new certificate and hit Next.
  6. Click Next on the Delayed or Immediate Request. We will be signing our certificate so we do not need to send it to the third-party company. So by default, we’re going to prepare the request, but send it later.
  7. Don’t worry about the name for the website for now. You can change it if you want to.
  8. On the Your Site’s Common Name either type in the IP address, or the name of the server. Make sure it’s a valid DNS server. I usually like to put the NetBIOS name and the domain:
    1. Such as dodo.workhorse.com, dodo being the NetBIOS name, workhorse.com being the domain.
  9. Hit Next.
  10. Fill out the demographic information.
  11. Choose the location of the certificate request. Just put it on the desktop.
  12. Finish up the wizard.
  13. Open up your favorite web browser, for this walkthrough we’ll use Internet Exploder.
  14. Go to the http:// server name or ip /certsrv
  15. Go to the Request a certificate link and click on advanced certificate request.
  16. Click on the Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.
  17. Open up your certreq.txt (certificate request file you create before and placed on your desktop). Copy and paste all the gibberish that’s in the file into the Saved Request: box.
  18. For the Certificate Template choose Web Browser.
    1. If you only see Basic EFS and User in your templates, reinstall Certificate Authority. The problem most likely has to do something with the permissions, you can try and repair them by accessing the Certificate Templates (certtmpl.msc in the Run box in the Start menu).
  19. Click Submit button.
  20. On the Certificate Issued page, click Download Certificate. Choose between DER encoded and Base 64 encoded.
  21. Save the certificate to your desktop.
  22. Go back to the Server Certificate button in the Directory Security tab in the Permissions of your Default Web Site.
  23. Go through the wizard and choose Process the prending request and install the certificate.
  24. Find your certificate on the desktop by clicking the Browse button. The file name should be something like certnew.cer.
  25. Choose the SSL port. Default should be 443. Keep it that way.
  26. Finish up the wizard.
  27. Open up Internet Exploder. Go to https:// server name or ip / on either the server or client machine. Note the S in the https://. This means that the conection will be encrypted.
  28. It’ll probably ask you to choose a certificate. Chose the default one if you have any. You can change the option to ignore or accept or ignore the certificates in the Directory Security tab by hitting the Edit button in the Server Communications part.
  29. The web site should open up without any problems or complains. If you get a complaint about a not trusted certificate, don’t worry.
    1. Make sure to type in whatever you used for the common name (IP or server name). If you type in something else, It’ll complain about the certificate not being trusted or domain name mismatch (but it will still work)
  30. Notice the padlock.
  31. The connection between the server and the client is now encrypted. The certificate that the web site requested you to accept certifies that the connection is encrypted.
  32. Clicking the View Certificate button will yield you with plenty of information about it (such as who issued it, expiration date, signature algorithm, public key, etc).

Obtaining user certificates on the client computers

Sometimes you will be required to present a certificate to the server when accessing a website from a client computer. To install the certificate, follow this:

  1. Open up your web browser, and go to http:// server name or ip /certsrv
  2. On the page that opens up, go to Request a Certificate and hit User Certificate
  3. Select the Key Strength. The keys will be generated and the Certificate Issued page will open up.
  4. Click Install this Certificate.
  5. You’re done.
  6. Go have a beer.

Comments

comments powered by Disqus