Using Certificate Server 2.0 to Generate a Server Certificate for Use with IIS 5.0
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Certificate Server 2.0 can be used to generate server certificates (aswell as other types) for use with Internet Information Services (IIS) 5.0.The procedures described in this article assume that you have CertificateServer 2.0 installed as a Root Certificate authority (this is not arequirement for this to work; however, it adds more complexity to thesteps you must follow). You must also have IIS 5.0 running on thiscomputer (this does not need to be the computer that you are enablingSSL/TLS on).
First, create a certificate request file. This file contains informationabout you, as well as your public key (a public and private key arecreated when you make this request). For this key to be valid, it must besigned by a root authority. Certificate Server 2.0 can act as a rootauthority. When the request file has been generated, submit that request toCertificate Server 2.0. Perform the following steps to accomplish this:
- Open Internet Explorer and browse to the sitehttp://certificate server/certsrv. The CertificateServer in this URL is the name of the computer that the Certificate Serveris running on.
- You should receive a page with several options on it. Choose theRequest a Certificate option, and then click Next.
- Under Choose Request Type, select Advanced Request,and then click Next.
- The Web Site Certificate Wizard that generates your key requestfile uses the standard PKCS #10 (Certificate Request file) format. Choosethe Submit a certificate request using a base64 encoded PKCS #10 fileor a renewal request using a base64 encoded PKCS #7 file option, andthen click Next.
- On the next screen, you are presented with two forms. The firstform is for the text of your certificate request file. can browse to thefile or simply copy and paste the file (be sure you do not change theformat in any way if you do this). If you browse to the file, be sure thatyou click the button to read the file. Either way, you should see yourcertificate request file in the top form. When you have accomplished this,click Next.
- Your request should have been received. If you receive an errormessage here, be sure that the file was not tampered with or modified inany way.
Now that you have submitted the request to the Certificate Server, therequest must be approved. This is a very simple process. Follow thesesteps:
- Open the Certificate Authority console (located in AdministrativeTools).
- Expand the name of your Certificate Server in the list (the onethat processed the request).
- Expand the Pending Requests section.
- You should see the certificate that you uploaded from thebrowser. Right-click on the certificate, click All Tasks, and thenclick Resubmit. The certificate should disappear from the list andappear in the Issued Certificates section
You have just approved your own server certificate using CertificateServer 2.0. There are still two more main issues to address to completethis task. You still need to receive the signed certificate fromCertificate Server, and then you must install this on the Web server.
To receive the signed certificate, perform the following steps:
- Open Internet Explorer (this must be the same browser you used inthe existing procedures) and browse to the certificate server URL(http://certificate server machine/certsrv).
- Choose the Check on a pending certificate option and clickNext.
- On the next screen, you should see a list of any pending requestmade with this browser. Choose the request you just approved and clickNext.
- The following screen will give you the opportunity to downloadthe certificate. Be sure you do not open this file; you need to downloadit to the local computer. The Certificate Wizard will need access to thisfile.
Now that you have the certificate response file from Certificate Server,you can install it using the Certificate Wizard in Internet InformationServices 5.0. Perform the following steps:
- Open the Internet Services Manager (or custom snap-in as discussedearlier) and browse to the Web site you generated the request for.
- Right-click on the Web site and click Properties.
- Click the Directory Security tab, and then under theSecure Communications section, click ServerCertificate.
- You should now see the Web Site Certificate Wizard. ClickNext.
- Choose the Process the pending request and install thecertificate option and click Next.
- Type in (or browse to) the path of the file you just downloadedfrom the Certificate Server Web page. When you have done this, clickNext.
- You will receive a summary of the certificate youare installing. Read this information to be sure you are installing thecorrect certificate. Click Next.
- You will receiveconfirmation that the certificate was installed.
The Web server is not configured to use secure communications using thecertificate you just submitted, approved, and installed. NOTE:
Because you used a Certificate Authority (the CertificateServer) that will not be trusted by default on a client's browser, theCertificate Authority Certificate needs to be installed on the client'sbrowser (they will generally receive an error if it is not).
Article ID: 228984 - Last Review: 06/22/2014 20:12:00 - Revision: 3.0