Monday , February 27 2017

how to install certificate authority on windows server 2012

Step 1:

You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange itself
I have done this in the Exchange Server itself (No Harm)

Open Server Manager – Manage – Add Roles and Features

image

Step 2:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

image

Choose :

Certification Authority

Certification Authority Web Enrollment

image

Choose Install

image

Choose Close

image

Step 3:

To Configure Active Directory Certificate Services

Choose the Exclamation Mark on the Flag

image

Choose Next

image

Choose

Certificate Authority

&

Certification Authority Web Enrollment

image
Choose Enterprise

image

Step 4:
Choose Root CA

image

Step 5:
Create a new Private key

image

Step 6:
Have this Default with 2048 key Character length

Updated === Its recommended to use SHA256 as SHA1 is retiring.

To Upgrade your existing internal CA –

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

image

Step 7:
Click Next

image

Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

Step 9:

image

image

Choose Configure

image

Installing and Configuring is Done.

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority

Step 10:
Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

image
Use the right side column “Browse *.443(https)

Note :

If you don’t see a “Browse *.443(https) , It means binding is not there. As my Example as Exchange 2013 , Exchange added the binding.

To add binding – Right Click on Default Web Site – Click on Edit Bindings

image

Click on ADD

HTTPS – 443 – Choose the CA Cert

image

Now you can see 443 in your website.

image

Step 11:
You would see a page like this , Choose Request a Certificate

image

Step 12:
Click on Advanced Certificate Request

image

Step 13:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC

image

Step 14:
Now Copy the  Note pad  – You have to generate a Certificate Request from the application. For example how we are doing in exchange server

http://www.careexchange.in/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/

Or you can use https://www.digicert.com/util/
Choose Template : WebServer

image

Step 15:
Choose “Base 64 encoded”

image

Step 16:
Save the Certificate

image

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Control Removable Storage Devices via Group Policy

Scenario 1 – Deny all type of Storage devices. Scenario 2 – Deny all type ...

79 comments

  1. Great job. thank you!

  2. Hi, many thanks for the write up.

    will this cert enable internal outlook users to connect to internal exchange server 2013?

    thanks in advance

    Ajay Paul

  3. Thanks Satheshwaran,
    i have 2012 dc and exchange 2007 sp3 can i use this certificate with it and how can i import it to exchange.

  4. Thanks for the guide! I’m getting the following message when trying to request a certificate by using a base-64-encoded CMC: “No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing Active Directory.” This is a brand new Windows Server 2012 installation and I followed your guide from start to finish. Any ideas?

    Steve

  5. Thanks, I’m not sure what happened but I uninstalled ADCS and reinstalled it and everything is working properly now.

  6. Great post…thanks..this helped me lot

  7. Hi Rajnish.

    Are we missing a step or two?

    When IIS is installed HTTPS is not enabled. In Step 10 the option to browse “Use the right side column “Browse *.443(https)” is not available.

    Step 14 requires clarification – Now Copy the Note pad – We need an explanation of how the data in the Note pad coming from.

    Please review and clarify

  8. no https. you have left out some important parts !!!!!!!!!!!

  9. Is it possible to migrate 2008 CA server to other 2012 CA server..

  10. OK – I’m at Step 14 – where does the NOTEPAD info come from !!! ?

    I’m TESTING Exchange so don’t have a proper certificate
    Will this work with a self-signed Certificate ?

    (there is little or no information about using Self-Signed Certs with Exchange – I appreciate I’ll need one eventually if and when this gets into production)

  11. I dont have web server in certificate template.
    why?
    someone help me

  12. Great information, but request the following information:

    In step 10 am I right clicking each port and copying information from each port, then copying into notepad, then pasting the information from notepad in step 14.
    You have done a great job with your post and I am probably being naïve, but clarification would be appreciated.

  13. good job mate weldone

  14. And Where can I Find the Certificate Request file? Which is the location of the file?

  15. As the others have mentioned, While in IIS Manager, only Browse *.80 (http) is available to select. Browse *.443 (https) is not seen, nor are any others as shown in your description.

    Any Thoughts?

  16. Hi,

    It is possible to deploying a Windows Server 2012 R2 Certificate Authority in a windows server 2003 domain.

    Thanks,

    Carlos Santos

  17. Hey,

    In Step 3:Setup type->Specify the setup typeof the CA->the 1st option “Enterpirse CA” is greyed out for me.What should i do to enable it.Please suggest
    thank you

  18. Great post…thanku ..this post helped me lot

  19. DID EXATCTLY WHAT YOU INSTRCTRUCTED AND IT DID NOT WORK FOR ME! I am having the same issue at step 10 that others have been telling you about. You have assumed that when we get there that “Browse: 443 (https)” will be to on the right, and my friend, for some of us including myself, it “DOES NOT APPEAR”. And since it does not appear, when we get to step 14, the screen for the certificate text is blank. THEREFORE, YOUR INSTRUCTIONS FOR US WHO DO NOT SEE “443”, YOUR INSTRUCTIONS ARE NOT CORRECT! Please make note of this and adjust your post!

    • Updated the Blog .If you are installing this on a Non Exchange machine . You got to add bindings to see 443. Check now

      • Déjà, rien que le ton condescendant de certains… Petits bourgeois que tout ça. Il faut de l’excès en toutes choses, quitte à revenir parfois en arrière. Vous nous proposez la mesure en toutes choses, quitte à ne pas bouger d’un pouce.Petits bourgeois que tout ça.

  20. Where can I Find the Certificate Request file? I don’t see where you saved it? Can I get help on this please. Thanks!

  21. when I go to certsrv I get no network, what should I do here?

  22. Thank you so much for this Article and Very informative…All the best!!

  23. How do I generate the Certificate before downloading it? where do they get the IP address used to log in to the url came from. when I on the web browser, it will not take it.eg 10.20.34.2/cert/svr.

  24. I do not have a Default Website in the list, thus there is no CertSrv. What could I do to remedy this? I know how to create Sites but the directories… I don’t know where they should point to.

  25. how to migrate CA from windows 2003 DC to windows 2012 DC

  26. Hi, many thanks for the write up.

    will this cert enable external outlook users to connect to exchange server 2013?

    thanks in advance

  27. hi
    will this cert enable external outlook users to connect to exchange server 2013?
    thanks

  28. shivendra Mishra

    Hi Satheshwaran,

    Could you please let me know whether can we install the CA in window 7 Machine?

  29. Hello,

    Thanks for this guide.

    I’m almost done with it but at Certification template i cannot choose “Web server”. There is only User and Basic template. Why did I wrong?

    Thank you!

  30. Hi Satish,

    I am in the Step 14, I could not able to proceed after Step 13, could you please let me know the location from where I can copy the text and paste it in the request box. I searched in Certserv folder and in certrqxt, but not able to see the requested file contents.

    Could you please help me out. Thanks..

  31. When I get to step 14 I am not getting the option to select web server. I am only getting a user option. Is there any way to correct this?

  32. Thank you so much,
    if i create the CA server , can i assign outlook anywhere, auto discover with this server ?
    after can i turn it off ? turn it on only when i need it ?

    thank you

  33. i am missing WEB server certificate template .
    any suggestions how to create a compatible on for exchange 2013 ?

  34. Hi! I could have sworn I’ve been to this website before but after
    going through many of the articles I realized it’s new to me.
    Anyhow, I’m definitely pleased I stumbled upon it and I’ll be book-marking it and checking back often!

  35. Hello,

    I’ve seen internal CA servers more often nowadays. I’m not too familiar with its benefits for a business or company. The only certs I ever had to deal with was from 3rd party like GeoTrusts. So the question is, what are the benefits of having an internal CA server in the environment if it’s usually recommended to have external certs for both internal (Outlook) and external (OWA) users of Exchange? What other benefits will an internal CA server provide? Why are reasons why it would be beneficial for a business to setup one up? Please advise as I would like to get this going for our business if there are good benefits.

  36. Very good article. I absolutely appreciate this site.
    Keep it up!

  37. Thanks for the guide. I’m trying to create a User Certificate and i get the error below. What am i missing?
    \
    Your request failed. An error occurred while the server was processing your request.

    Contact your administrator for further assistance.

    Request Mode:
    newreq NN – New Request (keygen)
    Disposition:
    (never set)
    Disposition message:
    (none)
    Result:
    Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    COM Error Info:
    CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    No suggestions.

  38. Thanks for some other informative blog. Where else may just I am getting that type of info written in such a perfect way?
    I’ve a undertaking that I’m simply now running on, and I have been on the
    glance out for such information.

Leave a Reply

Your email address will not be published.