JSI Tip 6395. Certificate Services in a Non-Active Directory Environment: Installation and Issuing Certificates.

Jerold Schulman

March 2, 2003

7 Min Read
ITPro Today logo

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q272555 contains:

IN THIS TASK

  • SUMMARY

    • Install the Certificate Server

    • Create an MMC Snap-in to Administer the Certificate Server

    • Create a Certificate Request for an IIS Web Site

    • Submit the Certificate Request Using Certificate Services

    • Approve the Certificate Request

    • Download and Install the Certificate

    • Request a Client Certificate

    • Approve the Client Certificate

    • Install the Certificate on the Client Computer

  • REFERENCES

SUMMARY

This step-by-step article describes how to install and configure a Certificate Server in a non-Active Directory environment. It includes step-by-step instructions for installing the server and client certificates.

back to the top

Install the Certificate Server

To install a Certificate Server on your Windows 2000 server:

  1. Click Start, point toSettings and then click ControlPanel.

  2. In Control Panel, double-click Add/RemovePrograms.

  3. Click Add/Remove Windows Components tostart the Windows Component Wizard.

  4. In the Windows Component Wizard, click to selecttheCertificate Services check box.

  5. Click Yes to confirm that this computercan no longer be renamed and cannot change domain membership.

  6. Click Next.

  7. Click Remote administration mode, and thenclick Next.

  8. Click Stand-alone root CA, and then clickNext.

  9. Type the CA name for your organization, type any additionalinformation you may require, and then click Next.

  10. Click Next.

  11. Click OK to stop the Internet Informationservices.
    Note You may be prompted for your Windows 2000 CD-ROM.

  12. When the Windows Components Wizard has completed, clickFinish.

back to the top

Create an MMC Snap-in to Administer the Certificate Server

To add the Microsoft Management Console (MMC) snap-in to administer Certificate Services:

  1. Click Start, and then clickRun.

  2. In the Open box, typeMMC, and then press ENTER.

  3. On the Console menu, clickAdd/Remove Snap-in.

  4. Click Add.

  5. In the Add Standalone Snap-in dialog box,click Certification Authority, and then clickAdd.

  6. Click Local computer, and then clickFinish.

  7. Click Close.

  8. Click OK.

  9. Click Console, and then click SaveAs.

  10. Type a name, and then clickSave.

back to the top

Create a Certificate Request for an IIS Web Site

To request a Web site certificate from the Certificate Services Server:

  1. Start Internet Services Manager.

  2. Double-click your IIS Server.

  3. Right-click the Web site where you want to install thecertificate, and then click Properties.

  4. Click Directory Security.

  5. Click Server Certificate to start the WebServer Certificate Wizard.

  6. Click Next.

  7. Click Create a new certificate, and thenclick Next.

  8. Click Next.

  9. Type a name for the certificate, and then clickNext.

  10. Type your organization name and organizational unit, andthen click Next.

  11. In the Common name box, type a name foryour site by using your computer DNS or NetBIOS name, and then clickNext.

  12. Complete the Geographical Informationpage, and then click Next.

  13. Leave the default name for the certificate request, notethe name and location of this file, and then click Next.

  14. Click Next.

  15. Click Finish.

  16. Click OK.

back to the top

Submit the Certificate Request Using Certificate Services

To submit the certificate request that you created in the previous procedure you must submit it to Certificate Services. Certificate Services then issues a certificate that you can install on your Web site. To do this:

  1. Start Microsoft Internet Explorer, and then locate thefollowing URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName isthe name of your Certificate Services server.

  2. Click Request a Certificate, and thenclick Next.

  3. Click Advanced Request, and then clickNext.

  4. Click Submit a certificate request using a base64encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7file, and then click Next.

  5. Put the contents of the certificate request file that youcreated in the previous procedure on the Submit A SavedRequests page. Only put the text that appears between the followingtwo lines:

    -----BEGIN NEW CERTIFICATE REQUEST----------END NEW CERTIFICATE REQUEST-----


    Note Do not include the BEGIN and END lines. Only use the text thatappears between them.

  6. Click Submit.

  7. The Certificate Pending page appears andstates:
    Your certificate request has been received.However, you must wait for an administrator to issue the certificate yourequested. Please return to this web site in a day or two to retrieve yourcertificate.

    Note: You must return with this web browser within 10days to retrieve your certificate

    Your certificate request has beensubmitted.

back to the top

Approve the Certificate Request

To approve the certificate request, you must manually approve the request by using the Certificate Services MMC that you previously created:

  1. Start the Certificate Services console that you created inthe "Create an MMC Snap-in to Administer the Certificate Server" section ofthis article.

  2. Double-click Certification Authority(local), and then double-click your server.

  3. In the right pane, double-click PendingRequests.

  4. In the right pane, right-click the request, point toAll Tasks, and then click Issue.

back to the top

Download and Install the Certificate

To install the approved certificate, you must first download it from Certificate Services and then install it on your computer:

  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName isthe name of your Certificate Services server.

  2. Click Check on pending certificate, andthen click Next.

  3. Click the request you submitted, and then clickNext.

  4. Click Download CA certificate.

  5. In the File Download dialog box, clickSave this file to disk, and then clickOK.

  6. Specify the location to save the file, and then clickSave.

  7. Click Open.

  8. In the Certificate dialog box, clickInstall Certificate to start the Certificate ImportWizard.

  9. Click Next.

  10. Click Automatically select the certificate storebased on the type of certificate, and then clickNext

  11. Click Finish.

  12. Click OK to confirm the import.

  13. Click OK.

back to the top

Request a Client Certificate

To request a client certificate:

  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName isthe name of your Certificate Services server.

  2. Click Request a Certificate, and thenclick Next.

  3. Click Web Browser Certificate, and thenclick Next.

  4. Complete the Identifying Informationboxes, and then click Submit.
    Note Required fields can be determined by the Certificate Servicesadministrator.

  5. The Certificate Pending page appears andstates:
    Your certificate request has been received.However, you must wait for an administrator to issue the certificate yourequested. Please return to this web site in a day or two to retrieve yourcertificate.

    Note: You must return with this web browser within 10days to retrieve your certificate

    Your certificate request has beensubmitted.

back to the top

Approve the Client Certificate

To approve the client certificate request:

  1. Start the Certificate Services console that you created inthe "Create an MMC Snap-in to Administer the Certificate Server" section ofthis article.

  2. Double-click Certification Authority(local), and then double-click your server.

  3. In the right pane, double-click PendingRequests.

  4. In the right pane, right-click the request, pointto All Tasks, and then click Issue.

back to the top

Install the Certificate on the Client Computer

To install the client certificate:

  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName isthe name of your Certificate Services server.

  2. Click Check on pending certificate, andthen click Next.

  3. Click the request that you submitted, and then clickNext.

  4. Click Install this certificate.

  5. The Certificate Installed page appears and states:
    Your new certificate has been successfullyinstalled.

back to the top

REFERENCES

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

228836 Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

324069 HOW TO: Set Up an HTTPS Service in IIS

back to the top



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like