JOSHUABT
asked on
Can Certificate Authority server provide SSL-enabled certificate service web site?
Hello,
I have a stand-alone Certificate Authority server, Windows2003.Standard.SP2.x
Is it possible to enable SSL on the certificate service web site, "https://mycertserver_name/CertSrv"?
I installed self-issued server certificate and check to require secure channel.
However, when I try to browse the site from another machine, "cannot display the webpage" message shows up.
Thank you for your time.
I have a stand-alone Certificate Authority server, Windows2003.Standard.SP2.x
Is it possible to enable SSL on the certificate service web site, "https://mycertserver_name/CertSrv"?
I installed self-issued server certificate and check to require secure channel.
However, when I try to browse the site from another machine, "cannot display the webpage" message shows up.
Thank you for your time.
Did You assign the certificate in The IIS manager? Can you verify that it is listening on port 443?
in cmd
netstat -na | findstr 443
in cmd
netstat -na | findstr 443
ASKER
First, Thank you for your response.
Here are the answers to your question :
* When "require secured channel" is unchecked, the certificate site ( http://myCAserver_name/CertSrv )
is working fine.
* I did not create a certificate and used an existing certificate instead from IIS. My assumption is that since this server is a CA itself, it should be able to use its own ( self-signed ) certificate.
* It's listening on port 443.
I will appreciate for any further suggestion.
Here are the answers to your question :
* When "require secured channel" is unchecked, the certificate site ( http://myCAserver_name/CertSrv )
is working fine.
* I did not create a certificate and used an existing certificate instead from IIS. My assumption is that since this server is a CA itself, it should be able to use its own ( self-signed ) certificate.
* It's listening on port 443.
I will appreciate for any further suggestion.
You can, but there is no reason to.
Any information that is submitted to the CA in the cert request is published into the cert, which is considered public information anyways. There is not SOX, HIPAA, PCI, etc. violation for not having the certsrv page encrypted.
If you archive the private key, the CA has an automated function for protecting the transfer of the private key from the client to the CA using the CAExchange certificate that is normally automatically issued by the CA to itself, so as long as you didn't do anything to that then you're fine.
Any information that is submitted to the CA in the cert request is published into the cert, which is considered public information anyways. There is not SOX, HIPAA, PCI, etc. violation for not having the certsrv page encrypted.
If you archive the private key, the CA has an automated function for protecting the transfer of the private key from the client to the CA using the CAExchange certificate that is normally automatically issued by the CA to itself, so as long as you didn't do anything to that then you're fine.
If you're still hell-bent to do it anyways - don't use the self-signed cert to do this. Issue a webserver certificate from the CA and then use that to install into IIS. The root should hopefully be already trusted via GPO push. The reason for this is that the CA cert is issued to the CAName (the name of the CA instance), not the servername like the web server cert will be.
Also, just for sanity, when you enable the 'require secure channel' checkbox, you are changing the url to https right? Does it make a difference if you try it from your workstation vs. locally on the server?
Also, just for sanity, when you enable the 'require secure channel' checkbox, you are changing the url to https right? Does it make a difference if you try it from your workstation vs. locally on the server?
ASKER
Thank you again for your responses.
My answers to your questions follow.
* There are two reasons why I want to implement SSL on the CA certificate site.
One, I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was
demanding that the request to CA server must be performed in a secured channel.
Two, I simply want to know if a CA server can implement SSL usign its own certificate.
* Yes, I used "https://..." from a remote machine and from the local machine and they both displays "Internet Explorer cannot display the page" error.
Thank you for your help.
My answers to your questions follow.
* There are two reasons why I want to implement SSL on the CA certificate site.
One, I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was
demanding that the request to CA server must be performed in a secured channel.
Two, I simply want to know if a CA server can implement SSL usign its own certificate.
* Yes, I used "https://..." from a remote machine and from the local machine and they both displays "Internet Explorer cannot display the page" error.
Thank you for your help.
It is trying to force using SSL which is why you are getting that error. Open IIS properties for certsrv and on the Directory Security tab click the Edit button under the certificate and remove the 'require ssl' checkbox. Try again - without that require ssl checkbox it should work as http and if you have the web server cert in place then it should work as https.
ASKER
Hello, Paranormastic
I need SSL because I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was demanding that the request to CA server must be performed over a secured channel.
I need SSL because I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was demanding that the request to CA server must be performed over a secured channel.
Okay, lets back up a little bit and re-read my previous posts in reverse order.
The problem you are trying to fix is because you had it set up to force using SSL when there is no good reason to do so for the certsrv page since everything submitted to is is public information anyways since it will appear in the cert.
Remove the checkbox and access using http: instead of SSL and life should be happy again.
The problem you are trying to fix is because you had it set up to force using SSL when there is no good reason to do so for the certsrv page since everything submitted to is is public information anyways since it will appear in the cert.
Remove the checkbox and access using http: instead of SSL and life should be happy again.
ASKER
Paranormastic,
I think you are misunderstanding.
It's a default requirement for W2K8 (R2) server to request for certificate over SSL.
It refuses to install over unsecured channel.
Thanks,
I think you are misunderstanding.
It's a default requirement for W2K8 (R2) server to request for certificate over SSL.
It refuses to install over unsecured channel.
Thanks,
How about keeping the default configuration i.e to keep "require SSL" which indeed is a requirement with 2k8.
Try opening MMC, add snap-in, find certificates, choose computer account.
Right click on personal, and issue a server authentication certificate from your CA, this is done through RPC and not HTTP.
Once that is done, open IIS and assign this certificate to the default web site, which holds the certificate services.
That way you meet the requirement for SSL, and you have a CA issued certificate.
Try opening MMC, add snap-in, find certificates, choose computer account.
Right click on personal, and issue a server authentication certificate from your CA, this is done through RPC and not HTTP.
Once that is done, open IIS and assign this certificate to the default web site, which holds the certificate services.
That way you meet the requirement for SSL, and you have a CA issued certificate.
You should also not confuse self issued certificates with CA issued certificates. Self issued certificates mean that the issuing authority is the computer itself.
When the certificate is issued by a CA it means that it is signed by the CA keys. And the CA (the service on that computer) is the issuing authority.
When the certificate is issued by a CA it means that it is signed by the CA keys. And the CA (the service on that computer) is the issuing authority.
ASKER
Simonlimon,
Thank you for your clarification of self-issued certficates.
Can you give me a little more details of your suggested implementation steps?
Thank you for your clarification of self-issued certficates.
Can you give me a little more details of your suggested implementation steps?
Well , you can't really use IIS to issue the certificates, so you should use other means. That is RPC. You would request a certificate through the same mechanism that Machines in your environment use to request certificates.
open MMC (start - run - MMC)
Add remove Snapins, select certificates, Local Computer
use Similar Path as this one here:
http://technet.microsoft.com/en-us/library/aa995864(EXCHG.65).aspx
After that is done, you would assign the server certificate using IIS Manager
server.jpg
open MMC (start - run - MMC)
Add remove Snapins, select certificates, Local Computer
use Similar Path as this one here:
http://technet.microsoft.com/en-us/library/aa995864(EXCHG.65).aspx
After that is done, you would assign the server certificate using IIS Manager
server.jpg
ASKER
Simonlimon,
I still can't get it work.
My CA server is a stand-alone root CA, W2K3.R2.x86.Std.
And I am trying to request certificate from W2K8.R2.x64.Ent.
Both servers belong to the same domain and we don't have Enterprise Root CA yet.
Do you think it has anything to do with OS versions?
Untitled.jpg
I still can't get it work.
My CA server is a stand-alone root CA, W2K3.R2.x86.Std.
And I am trying to request certificate from W2K8.R2.x64.Ent.
Both servers belong to the same domain and we don't have Enterprise Root CA yet.
Do you think it has anything to do with OS versions?
Untitled.jpg
Ok, If I understand correctly you have a Windows Server 2008 on which you want to enable SSL.
The CA is located on the W2003R2 server.
And when you connect to it from W2k8 Server you get an error, that SSL is required?
To properly enroll certificates using Windows 2003 CA on an Vista or 2008 Server you also need the following patch installed. Do you have it?
http://support.microsoft.com/kb/922706
The CA is located on the W2003R2 server.
And when you connect to it from W2k8 Server you get an error, that SSL is required?
To properly enroll certificates using Windows 2003 CA on an Vista or 2008 Server you also need the following patch installed. Do you have it?
http://support.microsoft.com/kb/922706
ASKER
Simonlimon,
I have installed the hotfix ( 922706 ) on the W2K3 CA server.
Still have the same problem.
I think I need to find a way to covert CA certificate site to SSL.
I have installed the hotfix ( 922706 ) on the W2K3 CA server.
Still have the same problem.
I think I need to find a way to covert CA certificate site to SSL.
Ok, but that means you have to enroll the certificate on the CA server. And not on the W2k8.
You can do that using the procedure we discussed using MMC, just perform it on the CA server.
You can do that using the procedure we discussed using MMC, just perform it on the CA server.
ASKER
I tried to request for a computer certificate from CA server ( W2K3 ) itself using MMC and received the error.
cert-err.png
cert-err.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Simonlimon,
Yes, I was able to request for and install server auth certificate finally but with some tweak.
For some reason, I had to request for the cert in exportable format and then imported it manually.
Anyway, my CA cert site is on SSL now.
Thank you for all your help.
Yes, I was able to request for and install server auth certificate finally but with some tweak.
For some reason, I had to request for the cert in exportable format and then imported it manually.
Anyway, my CA cert site is on SSL now.
Thank you for all your help.
Hope this helps!!!