Microsoft Bob

Just a short, simple blog for Bob to share some tips and tricks.

Be sure to check out my non-technical blog at www.bobsbasement.net.

Month List

IIS 6: Setting up SSL - Appendix B: Obtaining a Root Certificate from Windows Server 2003 Certificate Services

In this second appendix for my blog series about using SSL with IIS 6, I'm going to discuss obtaining the root certificate from Windows Server 2003 Certificate Services. By way of explanation, obtaining a root certificate is one of the most important steps for servers or clients that will use certificates that you issue. While this step is not necessary on the server where you installed Certificate Services, it is absolutely essential on your other servers or clients, because this step will allow those computers to trust your certificate server as a Certificate Authority (CA). Without that trust in place, you will either receive error messages or SSL simply won't work.

I've broken this process into two steps:


Downloading the Root Certificate

  1. Browse to your certificate server's address, (e.g. http://<server-name>/certsrv/), and choose to retrieve the CA certificate:

  2. Click the link to download the CA certificate:

  3. Choose to save the certificate file to disk:

  4. Save the file to your desktop:

Note: If you were to bring up the properties for the root certificate, the certificate's icon should show an error; this is because the certificate has not been imported.


Installing the Root Certificate

Before using any certificates that you issue on a computer, you need to install the Root Certificate. (This includes web servers and clients.)

  1. Double-click the file on your desktop:

  2. Click the "Install Certificate" button:

  3. Click "Next" to start the Certificate Import Wizard:

  4. Choose to automatically choose the store:

  5. Click the "Finish" button:

  6. Click "Yes" when asked if you want to add the certificate:

    NOTE: This step is very important. If you do not see this dialog, something went wrong, and you may need to manually place the certificate in the correct store.
  7. Click "OK" when informed that the import was successful.

Note: If you were to bring up the properties for the root certificate after you have installed it on your computer, you should see that the icon for the certificate no longer shows an error.

That's it for this post. In my next blog post, I'll discuss processing a certificate request.

Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/

Posted: Jul 29 2011, 08:33 by Bob | Comments (0)
  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: IIS | SSL
Tags: , ,
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us

IIS 6: Setting up SSL - Appendix A: Installing Windows Server 2003 Certificate Services

I needed to take a short break from my blog series about using SSL with IIS 6 in order to work on some other projects, but I wanted to finish the series by giving you a few appendices that give you some additional details that you might want to know if you are using SSL with IIS 6.

In this first appendix, I'll discuss how to install Certificate Services for Windows Server 2003. Installing Certificate Services will allow you to have your own Certificate Authority (CA), and thereby you will be able to issue certificates for your organization. It should be noted that Internet clients that are not part of your organization will not inherently trust your certificates - you will need to export your Root CA certificate, which I will describe in a later appendix for this blog series.

There are four different configurations that you can choose from when you are installing Certificate Services:

Enterprise root CA Integrated with Active Directory
Acts as the root CA for your organization
Enterprise subordinate CA Integrated with Active Directory
Child of your organization's root CA
Stand-alone root CA Not integrated with Active Directory
Acts as the root CA for your certificate chain
Stand-alone subordinate CA Not integrated with Active Directory
Child of your certificate chain's root CA

Note: More information about these options is available at http://technet.microsoft.com/en-us/library/cc756989.aspx

For this blog, I will discuss setting up a Stand-alone root CA.

  1. Run the "Windows Component Wizard" in "Add/Remove Programs", choose "Certificate Services", and click "Next":

  2. Click "Yes" when prompted to continue:

  3. Accept the defaults, then click "Next":

  4. Enter all requested information, then click "Next":

  5. Accept the defaults for the data locations and click "Next":

  6. The wizard will step through installing the services:

  7. When the wizard has completed, click "Finish" to exit the wizard:

That wraps up this blog post. In my next post I'll discuss obtaining the root certificate for your certificate server so you can install it on a client computer or an IIS server; this will allow other computers to trust the certificates that you issue.

Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/

Posted: Jul 28 2011, 10:52 by Bob | Comments (0)
  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Filed under: IIS | SSL
Tags: , ,
Social Bookmarks: E-mail | Kick it! | DZone it! | del.icio.us