Can Certificate Authority server provide SSL-enabled certificate service web site?

Hello,

I have a stand-alone Certificate Authority server, Windows2003.Standard.SP2.x86.
Is it possible to enable SSL on the certificate service web site, "https://mycertserver_name/CertSrv"?
I installed self-issued server certificate and check to require secure channel.
However, when I try to browse the site from another machine, "cannot display the webpage" message shows up.

Thank you for your time.
JOSHUABTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

proadminCommented:
What happens when you uncheck require secure channel? It sounds like the certificate wasn't generated properly (possibly one of many issues). Also are you using IIS to create your certificates and complete them??? Once you do that you should go directly to binding and then choose the cert for each website.

Hope this helps!!!
0
simonlimonCommented:
Did You assign the certificate in The IIS manager? Can you verify that it is listening on port 443?

in cmd

netstat -na | findstr 443
0
JOSHUABTAuthor Commented:
First, Thank you for your response.
Here are the answers to your question :
* When "require secured channel" is unchecked, the certificate site ( http://myCAserver_name/CertSrv )
   is working fine.
* I did not create a certificate and used an existing certificate instead from IIS. My assumption is that since this server is a CA itself, it should be able to use its own ( self-signed ) certificate.
* It's listening on port 443.

I will appreciate for any further suggestion.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

ParanormasticCryptographic EngineerCommented:
You can, but there is no reason to.

Any information that is submitted to the CA in the cert request is published into the cert, which is considered public information anyways.  There is not SOX, HIPAA, PCI, etc. violation for not having the certsrv page encrypted.

If you archive the private key, the CA has an automated function for protecting the transfer of the private key from the client to the CA using the CAExchange certificate that is normally automatically issued by the CA to itself, so as long as you didn't do anything to that then you're fine.

0
ParanormasticCryptographic EngineerCommented:
If you're still hell-bent to do it anyways - don't use the self-signed cert to do this. Issue a webserver certificate from the CA and then use that to install into IIS.  The root should hopefully be already trusted via GPO push.  The reason for this is that the CA cert is issued to the CAName (the name of the CA instance), not the servername like the web server cert will be.

Also, just for sanity, when you enable the 'require secure channel' checkbox, you are changing the url to https right?  Does it make a difference if you try it from your workstation vs. locally on the server?
0
JOSHUABTAuthor Commented:
Thank you again for your responses.
My answers to your questions follow.

* There are two reasons why I want to implement SSL on the CA certificate site.
   One,  I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was
   demanding that the request to CA server must be performed in a secured channel.
   Two, I simply want to know if a CA server can implement SSL usign its own certificate.

* Yes, I used "https://..." from a remote machine and from the local machine and they both displays "Internet Explorer cannot display the page" error.

Thank you for your help.
0
ParanormasticCryptographic EngineerCommented:
It is trying to force using SSL which is why you are getting that error.  Open IIS properties for certsrv and on the Directory Security tab click the Edit button under the certificate and remove the 'require ssl' checkbox.  Try again - without that require ssl checkbox it should work as http and if you have the web server cert in place then it should work as https.
0
JOSHUABTAuthor Commented:
Hello, Paranormastic
I need SSL because I was trying to request for a server certificate from a Win.2008.R2.Ent.x64 server and it was demanding that the request to CA server must be performed over a secured channel.
0
ParanormasticCryptographic EngineerCommented:
Okay, lets back up a little bit and re-read my previous posts in reverse order.

The problem you are trying to fix is because you had it set up to force using SSL when there is no good reason to do so for the certsrv page since everything submitted to is is public information anyways since it will appear in the cert.

Remove the checkbox and access using http: instead of SSL and life should be happy again.
0
JOSHUABTAuthor Commented:
Paranormastic,

I think you are misunderstanding.
It's a default requirement for W2K8 (R2) server to request for certificate over SSL.
It refuses to install over unsecured channel.

Thanks,
0
simonlimonCommented:
How about keeping the default configuration i.e to keep "require SSL" which indeed is a requirement with 2k8.

Try opening MMC, add snap-in, find certificates, choose computer account.

Right click on personal, and issue a server authentication certificate from your CA, this is done through RPC and not HTTP.

Once that is done, open IIS and assign this certificate to the default web site, which holds the certificate services.

That way you meet the requirement for SSL, and you have a CA issued certificate.
0
simonlimonCommented:
You should also not confuse self issued certificates with CA issued certificates. Self issued certificates mean that the issuing authority is the computer itself.

When the certificate is issued by a CA it means that it is signed by the CA keys. And the CA (the service on that computer) is the issuing authority.
0
JOSHUABTAuthor Commented:
Simonlimon,
Thank you for your clarification of self-issued certficates.
Can you give me a little more details of your suggested implementation steps?
0
simonlimonCommented:
Well , you can't really use IIS to issue the certificates, so you should use other means. That is RPC. You would request a certificate through the same mechanism that Machines in your environment use to request certificates.

open MMC (start - run - MMC)
Add remove Snapins, select certificates, Local Computer

use Similar Path as this one here:
http://technet.microsoft.com/en-us/library/aa995864(EXCHG.65).aspx

After that is done, you would assign the server certificate using IIS Manager


server.jpg
0
JOSHUABTAuthor Commented:
Simonlimon,

I still can't get it work.
My CA server is a stand-alone root CA, W2K3.R2.x86.Std.
And I am trying to request certificate from W2K8.R2.x64.Ent.
Both servers belong to the same domain and we don't have Enterprise Root CA yet.

Do you think it has anything to do with OS versions?

Untitled.jpg
0
simonlimonCommented:
Ok, If I understand correctly you have a Windows Server 2008 on which you want to enable SSL.

The CA is located on the W2003R2 server.

And when you connect to it from W2k8 Server you get an error, that SSL is required?

To properly enroll certificates using Windows 2003 CA on an Vista or 2008 Server you also need the following patch installed. Do you have it?

http://support.microsoft.com/kb/922706
0
JOSHUABTAuthor Commented:
Simonlimon,
I have installed the hotfix ( 922706 ) on the W2K3 CA server.
Still have the same problem.
I think I need to find a way to covert CA certificate site to SSL.
0
simonlimonCommented:
Ok, but that means you have to enroll the certificate on the CA server. And not on the W2k8.

You can do that using the procedure we discussed using MMC, just perform it on the CA server.
0
JOSHUABTAuthor Commented:
I tried to request for a computer certificate from CA server ( W2K3 ) itself using MMC and received the error.
cert-err.png
0
simonlimonCommented:
Ok, If you try to browse the

http://mycertsrv/certsrv 

from the CA machine what is the result?

Can you try and request a server authentication certificate from the CA web site on the CA machine?

If you can succeeded doing that then you can enable SSL using that certificate.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JOSHUABTAuthor Commented:
Simonlimon,
Yes, I was able to request for and install server auth certificate finally but with some tweak.
For some reason, I had to request for the cert in exportable format and then imported it manually.
Anyway, my CA cert site is on SSL now.
Thank you for all your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.