Certificate Authority Woes

[LSxCPU]

Hey Guys, new to the forum. Place has been great for referencing when building my first PC and home lab set up.

Just curious if anyone on here has messed with certificate authority in windows server 2008r2 or 2012?

I've been reading around online, have everything configured, but when it comes to actually requesting and installing appropriate certificate for my application servers I'm completely lost. I'm running an IIS application, everytime I browse to the website I get the message saying this website is untrusted blah blah and hit continue (not reccomended)

My question is, how the hell do I get this to go away. I logged on to the application server, browsed to my certificate server, request a certificate. Then log into the cert server and approve the certificate. I then go back to my browser, get out to the website, install the certificate from my web browser. Next time I go to the site, it's exactly the same, no valid certificate. Judging by the articles I'm reading everyone makes it sound so straight forward, but I can't get anywhere.

Anyone have some advice, tips, how-to for dummies? Also, creating a linux cert with window certificate authority is kickin my arse as well. I must be doing something wrong or I'm just not grasping the concept correctly because I've read about every damn technet article their could be, plus others.

Been cracking at this task for several days now, maybe I just need to step away.

Thanks a bunch,
Disgruntled IT employee.

 

[smakme7757]

When creating your own certificates you will need to install your CA certificate into the browser. The reason you get the error is because your server creating the in house certificates isn't a publicly trusted certificate authority.

Import your CA certificate into the trusted root authority (I forget what its called) folder in the browser or in windows and you shouldn't get the SSL warning.

*mobile post

 

[imagoon]

The easiest way to deal with a Windows CA is with AD. However once the CA is installed, you have to configure the templates for your environment. You have to then submit a request to the CA for the cert you want. IIS will need a website cert, your local system or local user account will need to import a trusted CA cert from the CA. If you start the MMC (start -> run -> mmc) then load the certificate mmc (I think it is add mmc on the file menu) it will ask you if you want to work with the user account, service accounts or computer accounts. User accounts are for your current user. Once that is added, go to trusted CA's and right click and all tasks -> request certificate. You can request the CA trust cert from there. Or you can export it from the CA and import it as a file. CA's are not simple so you might need to some trial and error to get everything trusted.

 

[LSxCPU]

Not simple, you can say that again! It's been pretty straight forward for other things, like issueing correct certs for the mail server, and a few domain controllers. It seemed to make these automatically without causing any headaches to our active directory infastructure.

Luckily we have a virtual test enviroment we can test on, but has anyone ran into any issues when inegrating a certificate authority with their domain? Even though I havent ran into any issues on the test enviroment, I'm a little nervous about integrating this into our live active drectory infrastructure because of possible automatic changes it might make. Should I be worried? Or anything I should/shouldn't do when setting up a root CA in our active directory schema?

Regards,
Sam

 

[stlcardinals]

You also need to install a certicate on your IIS server and set your websites to use that certificate.

General Guide: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

 

[kn51]

Good timing on this question, as I had an issue yesterday that I dealt with with certificates.

No you shouldn't be worried. It's fairly simple. My memory is hazy but it will probably auto-generate the "root" certificate for you. Also, you may need to set a group policy to auto-enroll that certificate into the trusted root authority of each domain connected computer. That way you don't have to install it manually on each machine.

The link provided above shows how to request a SSL cert for IIS. However, that is for a self-signed cert that is for the computer itself. You want the "Request domain certificate" choice instead. That will send the request to the CA, and all machines that have the trusted root certificate will trust that IIS certificate you requested...as long of course you provide the correct FQDN in the certificate request.

A word of advice, don't let the CA root certificate expire. It will probably be good for 5 years. Yesterday mine expired (yeah, should have paid more attention) and when that happens, well, every internal cert becomes worthless as they are set to expire when the CA root does.

Wasn't a fun day, let's put it that way.

 

[LSxCPU]

Thanks for the tip on the domain certificate. Blahh another GPO, the more progress I make the more involved it gets!

Just had to scratch my lab enviroment, hopefully will be able to get back to testing soon. I'll keep the thread updated if I come across any more issues or tips that might help other newbies on this topic.

Thanks again!