Link to home
Create AccountLog in
Avatar of Thomas N
Thomas NFlag for United States of America

asked on

certificate issue- 2008 server

Okay, im new to certificates but we have a website that is hosted by me that I believe needs to issue a valid certificate. When I go to the site it says" Content was blocked because it was not signed by a valid security certificate".

I need to issue a cert from the server...correct? If so can someone give me step by step instructions to do this? I am a domain admin on our network. Thanks
Avatar of rgorman
rgorman
Flag of Canada image

You will want to generate a CSR through IIS using the instructions here...

https://technet.microsoft.com/en-ca/library/cc732906%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Then you will submit the CSR to an SSL certificate provider, like GoDaddy/Verisign/Thawte/etc, and they will issue the certificate that you will import into your PC.  Each provider would have instructions on their site as well that outline the process for each product.
Digi Cert has a complete tutorial on how to accomplish this. You need to start by generating a CSR and sending it to the 3rd Party SSL provider.
https://www.digicert.com/csr-creation-microsoft-iis-7.htm

Will.
Avatar of Thomas N

ASKER

Do I still need to do that if its an internal website?
send it to a 3rd party I mean.
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks Will. Is it possible to find out if I already have an internal Root CA already setup? I was handed over this small network and not sure if its possible to find without digging around manually.
All you need to run to verify if there is an internal Domain CA is running the following command...
certutil -TCAinfo

Open in new window


Will.
This is what I get when I run it. It pulls up a "server" and a "server1". So is it the CA name or the machine name?



C:\Users>certutil -TCAinfo
================================================================
CA Name: Wireless

Machine Name: server.domain.net

DS Location: CN=Wireless,CN=Enrollment Services,CN=Public Key Services,CN=Servic
es,CN=Configuration,DC=domain,DC=net

Cert DN: CN=Wireless, DC=domain, DC=net

CA Registry Validity Period: 2 Years -- 4/8/2017 12:56 PM
 NotAfter: 3/5/2018 10:58 AM

Connecting to server.domain.net\Wireless ...
Server "Wireless" ICertRequest2 interface is alive

  Enterprise Root CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Wireless, DC=domain, DC=net
  NotBefore: 3/5/2013 10:54 AM
  NotAfter: 3/5/2018 10:58 AM
  Subject: CN=Wireless, DC=domain, DC=net
  Serial: 753194f68ef2718b431217094313e9e0
  Template: CA
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
  Issuer: CN=Wireless, DC=domain, DC=net
  NotBefore: 3/5/2013 10:54 AM
  NotAfter: 3/5/2018 10:58 AM
  Subject: CN=Wireless, DC=domain, DC=net
  Serial: 753194f68ef2718b431217094313e9e0
  Template: CA
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
A certification chain processed correctly, but one of the CA certificates is not
 trusted by the policy provider. 0x800b0112 (-2146762478)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[1]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[2]: Machine (Computer)
Validated Cert Types: 3

================================================================
CA Name: domain-server1-CA

Machine Name: server1.domain.net

DS Location: CN=domain-server1-CA,CN=Enrollment Services,CN=Public Key Service
s,CN=Services,CN=Configuration,DC=domain,DC=net

Cert DN: CN=domain-server1-CA, DC=domain, DC=net

CA Registry Validity Period: 2 Years -- 4/8/2017 12:56 PM
 NotAfter: 3/5/2018 11:14 AM

Connecting to server1.domain.net\domain-server1-CA ...
Server "domain-server1-CA" ICertRequest2 interface is alive

  Enterprise Root CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domain-server-CA, DC=domain, DC=net
  NotBefore: 3/5/2013 11:04 AM
  NotAfter: 3/5/2018 11:14 AM
  Subject: CN=domain-server1-CA, DC=domain, DC=net
  Serial: 4dfdb8bcd6dc8b894fd0e8041644a90d
  Template: CA
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
  Issuer: CN=domain-Sserver1-CA, DC=domain, DC=net
  NotBefore: 3/5/2013 11:04 AM
  NotAfter: 3/5/2018 11:14 AM
  Subject: CN=domain-CA, DC=domain, DC=net
  Serial: 4dfdb8bcd6dc8b894fd0e8041644a90d
  Template: CA
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
A certification chain processed correctly, but one of the CA certificates is not
 trusted by the policy provider. 0x800b0112 (-2146762478)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[1]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[2]: EFSRecovery (EFS Recovery Agent)
Cert Type[3]: EFS (Basic EFS)
Cert Type[4]: DomainController (Domain Controller)
Cert Type[5]: WebServer (Web Server)
Cert Type[6]: Machine (Computer)
Cert Type[7]: User (User)
Cert Type[8]: SubCA (Subordinate Certification Authority)
Cert Type[9]: Administrator (Administrator)
Validated Cert Types: 10

================================================================
server.domain.net\Wireless:
  Enterprise Root CA
  A certification chain processed correctly, but one of the CA certificates is n
ot trusted by the policy provider. 0x800b0112 (-2146762478)
  Online

sscvu01.domain.net\domain-server1-CA:
  Enterprise Root CA
  A certification chain processed correctly, but one of the CA certificates is n
ot trusted by the policy provider. 0x800b0112 (-2146762478)
  Online

CertUtil: -TCAInfo command completed successfully.
Based on the out-put domain-server1-CA is the internal CA for this domain. You will then need to create a Web Server Template and issue it to the Web Server you want to use SSL.

Will.
ok let me try and come back to reward points
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.