Q: How do I request a certificate directly from my domain CA from my Windows machines?

A: Typically, to request a certificate, you complete a certificate request, save to a file, the request is approved, and you get the certificate in a file that you import.

If you use the Windows Certificate Authority integrated with Active Directory (AD), then all machines in the domain trust the domain CA and are able to request certificates directly from the domain CA. It then fulfills the certificate request in real time and places the certificate in the machine's certificate store automatically.

After the domain CA is configured to request a certificate, the easiest way to get it is via the IIS Management snap-in:

1. Start Internet Information Service (IIS) Manager from Administrative Tools.
2. Select your server in the navigation node.
3. In the IIS section in the main part of the interface, select Server Certificates.
4. Click the Create Domain Certificate... action.
5. Enter the certificate details per normal procedures, such as common name, organization; then click Next.
6. For the Online Certification Authority, click the Select... button. Your Enterprise CA should be listed. Select it. Enter the friendly name for the certificate (it must match how people will access the server), then click Finish. (See the screen shot below.)


The certificate will be requested and installed.

To see other FAQs, please go to John Savill's FAQs page on Windows IT Pro.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.