Step 1:
You need to have this role installed to have a Certificate Authority , It can be DC or Exchange itself
I have done this in the Exchange Server itself (No Harm)
Open Server Manager – Manage – Add Roles and Features
Step 2:
Choose : Active Directory Certificate Services
Choose Next
And Choose : Certification Authority Web Enrollment
Choose :
Certification Authority
Certification Authority Web Enrollment
Choose Install
Choose Close
Step 3:
To Configure Active Directory Certificate Services
Choose the Exclamation Mark on the Flag
Choose Next
Choose
Certificate Authority
&
Certification Authority Web Enrollment
Choose Enterprise
Step 4:
Choose Root CA
Step 5:
Create a new Private key
Step 6:
Have this Default with 2048 key Character length
Updated === Its recommended to use SHA256 as SHA1 is retiring.
To Upgrade your existing internal CA –
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Step 7:
Click Next
Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next
Step 9:
Choose Configure
Installing and Configuring is Done.
Let us see how to Request a Create a Simple Cert from Internal Certificate Authority
Step 10:
Now if you Open IIS manager , you will see “CertSrv” a Virtual Directory Created ,
Use the right side column “Browse *.443(https)
Note :
If you don’t see a “Browse *.443(https) , It means binding is not there. As my Example as Exchange 2013 , Exchange added the binding.
To add binding – Right Click on Default Web Site – Click on Edit Bindings
Click on ADD
HTTPS – 443 – Choose the CA Cert
Now you can see 443 in your website.
Step 11:
You would see a page like this , Choose Request a Certificate
Step 12:
Click on Advanced Certificate Request
Step 13:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC
Step 14:
Now Copy the Note pad – You have to generate a Certificate Request from the application. For example how we are doing in exchange server
https://www.azure365pro.com/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/
Or you can use https://www.digicert.com/util/
Choose Template : WebServer
Step 15:
Choose “Base 64 encoded”
Step 16:
Save the Certificate
Open Server Manager – Manage – Add Roles and Features){kind=link}
Great job. thank you!
its good Very tnx :X
your welcome Ahmad Ghazi !
Hi, many thanks for the write up.
will this cert enable internal outlook users to connect to internal exchange server 2013?
thanks in advance
Ajay Paul
Thank Ajay.
the answer is Yes.
It should work with Internal Outlook without any problems !!
Thanks Satheshwaran,
i have 2012 dc and exchange 2007 sp3 can i use this certificate with it and how can i import it to exchange.
It should work
Use think link for the Commands you can use for Exchange 2007.
http://luka.manojlovic.net/2008/01/12/new-certificate-in-exchange-2007-step-by-step/
Thanks for the guide! I’m getting the following message when trying to request a certificate by using a base-64-encoded CMC: “No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing Active Directory.” This is a brand new Windows Server 2012 installation and I followed your guide from start to finish. Any ideas?
Steve
Make sure you are a member. Of enterprise admins
I already am. Any other ideas?
might be some bug , Create a New Admin . Give all access and login with that admin and try. also
check the below forum – Similar one –
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5be22856-0598-46c1-b334-1ec4a81100d2/
Thanks, I’m not sure what happened but I uninstalled ADCS and reinstalled it and everything is working properly now.
Happy for you
Great post…thanks..this helped me lot
Thank you Rajnish
Hi Rajnish.
Are we missing a step or two?
When IIS is installed HTTPS is not enabled. In Step 10 the option to browse “Use the right side column “Browse *.443(https)” is not available.
Step 14 requires clarification – Now Copy the Note pad – We need an explanation of how the data in the Note pad coming from.
Please review and clarify
Hi ,
Right Click and Browse , you should get to that page. if your installation is fine. with a Cert Error,
As the others have mentioned, While in IIS Manager, only Browse *.80 (http) is available to select. Browse *.443 (https) is not seen, nor are any others as shown in your description.
Any Thoughts?
i had the same problem. i can see http only
i have it also
Same, no HTTPS !!!
no https. you have left out some important parts !!!!!!!!!!!
It does work with HTTPS . Can you be some more elaborate ?
Is it possible to migrate 2008 CA server to other 2012 CA server..
Yes its possible .
This should help you.
http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx
OK – I’m at Step 14 – where does the NOTEPAD info come from !!! ?
I’m TESTING Exchange so don’t have a proper certificate
Will this work with a self-signed Certificate ?
(there is little or no information about using Self-Signed Certs with Exchange – I appreciate I’ll need one eventually if and when this gets into production)
You have to open the certificate request file , using notepad
Where to find this certificate request file to open?
Wherever you saved it in the first place from your ExchangeServer/Application server from wherever you requested and Saved it.
I dont have web server in certificate template.
why?
someone help me
I guess your missing some steps
Great information, but request the following information:
In step 10 am I right clicking each port and copying information from each port, then copying into notepad, then pasting the information from notepad in step 14.
You have done a great job with your post and I am probably being naïve, but clarification would be appreciated.
Open the Certificate Request file using nOtepad. and paste it
Content Updated , I guess it should be clear now, Sorry for the confusion
good job mate weldone
Thank you .!
Thank you
And Where can I Find the Certificate Request file? Which is the location of the file?
When you Create a Cert Req – It the location you browse . and SAVE Fran .
As the others have mentioned, While in IIS Manager, only Browse *.80 (http) is available to select. Browse *.443 (https) is not seen, nor are any others as shown in your description.
Any Thoughts?
Hi,
It is possible to deploying a Windows Server 2012 R2 Certificate Authority in a windows server 2003 domain.
Thanks,
Carlos Santos
Yes it should work .
Hey,
In Step 3:Setup type->Specify the setup typeof the CA->the 1st option “Enterpirse CA” is greyed out for me.What should i do to enable it.Please suggest
thank you
Great post…thanku ..this post helped me lot
DID EXATCTLY WHAT YOU INSTRCTRUCTED AND IT DID NOT WORK FOR ME! I am having the same issue at step 10 that others have been telling you about. You have assumed that when we get there that “Browse: 443 (https)” will be to on the right, and my friend, for some of us including myself, it “DOES NOT APPEAR”. And since it does not appear, when we get to step 14, the screen for the certificate text is blank. THEREFORE, YOUR INSTRUCTIONS FOR US WHO DO NOT SEE “443”, YOUR INSTRUCTIONS ARE NOT CORRECT! Please make note of this and adjust your post!
Updated the Blog .If you are installing this on a Non Exchange machine . You got to add bindings to see 443. Check now
Déjà , rien que le ton condescendant de certains… Petits bourgeois que tout ça. Il faut de l’excès en toutes choses, quitte à revenir parfois en arrière. Vous nous proposez la mesure en toutes choses, quitte à ne pas bouger d’un pouce.Petits bourgeois que tout ça.
Check out my Windows 2012 R2 Certification Authority installation guide
http://security-24-7.com/windows-2012-r2-certification-authority-installation-guide/
Where can I Find the Certificate Request file? I don’t see where you saved it? Can I get help on this please. Thanks!
Please save wherever you want.
when I go to certsrv I get no network, what should I do here?
Thank you so much for this Article and Very informative…All the best!!
Thank you for your Comments
How do I generate the Certificate before downloading it? where do they get the IP address used to log in to the url came from. when I on the web browser, it will not take it.eg 10.20.34.2/cert/svr.
I do not have a Default Website in the list, thus there is no CertSrv. What could I do to remedy this? I know how to create Sites but the directories… I don’t know where they should point to.
re-install.. the CA.. I guess you missed something.
make sure “Web Enrollment” Roles are installed.
if it is already checked then run the following command in admin mode.
certutil -vroot
how to migrate CA from windows 2003 DC to windows 2012 DC
please check the comments of the below URL
https://redmondmag.com/articles/2015/06/01/ad-certificate-services.aspx
Hi, many thanks for the write up.
will this cert enable external outlook users to connect to exchange server 2013?
thanks in advance
No. Its just for internal users. Its higly recommended to use a External cert for both. Internal and External
hi
will this cert enable external outlook users to connect to exchange server 2013?
thanks
Hi Satheshwaran,
Could you please let me know whether can we install the CA in window 7 Machine?
I don’t think so.
Hello,
Thanks for this guide.
I’m almost done with it but at Certification template i cannot choose “Web server”. There is only User and Basic template. Why did I wrong?
Thank you!
Hi Satish,
I am in the Step 14, I could not able to proceed after Step 13, could you please let me know the location from where I can copy the text and paste it in the request box. I searched in Certserv folder and in certrqxt, but not able to see the requested file contents.
Could you please help me out. Thanks..
I have added some explanation to help you better
When I get to step 14 I am not getting the option to select web server. I am only getting a user option. Is there any way to correct this?
you can search for publishing templates
Thank you so much,
if i create the CA server , can i assign outlook anywhere, auto discover with this server ?
after can i turn it off ? turn it on only when i need it ?
thank you
No Julien. I prefer you to buy a third part Certificate.. Unless there is a specific Need of using INternal CA.
i am missing WEB server certificate template .
any suggestions how to create a compatible on for exchange 2013 ?
Hello,
I’ve seen internal CA servers more often nowadays. I’m not too familiar with its benefits for a business or company. The only certs I ever had to deal with was from 3rd party like GeoTrusts. So the question is, what are the benefits of having an internal CA server in the environment if it’s usually recommended to have external certs for both internal (Outlook) and external (OWA) users of Exchange? What other benefits will an internal CA server provide? Why are reasons why it would be beneficial for a business to setup one up? Please advise as I would like to get this going for our business if there are good benefits.
Very good article. I absolutely appreciate this site.
Keep it up!
Thanks for the guide. I’m trying to create a User Certificate and i get the error below. What am i missing?
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq NN – New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.
Hello
Please use Internet Explorer, I got same error, when using Chrome for Personal Certificate request.
BR
I was also seeing the invalid pointer error when using Chrome. The process worked as expected when I tried in IE.
I also received this exact error when using Chrome. Switched to IE and was successful.
Thanks for some other informative blog. Where else may just I am getting that type of info written in such a perfect way?
I’ve a undertaking that I’m simply now running on, and I have been on the
glance out for such information.
I am getting below error when installing second CA server with SHA256 within the same forest
certification authority web enrollment network name is no longer available 0x80070040 (win32:64 ERROR_NETNAME_DELETED)
Can anyone help on the same
im getting this
our request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq NN – New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.
PERVERSO, GRAN TRABAJO AMIGO !!!
SALUDOS DESDE MEXICO !!!
GRACIAS POR TU APORTE !!!!