Avatar of Thomas N
Thomas N
Flag for United States of America asked on

certificate issue- 2008 server

Okay, im new to certificates but we have a website that is hosted by me that I believe needs to issue a valid certificate. When I go to the site it says" Content was blocked because it was not signed by a valid security certificate".

I need to issue a cert from the server...correct? If so can someone give me step by step instructions to do this? I am a domain admin on our network. Thanks
Windows Server 2008EncryptionOS Security

Avatar of undefined
Last Comment
Seth Simmons

8/22/2022 - Mon
rgorman

You will want to generate a CSR through IIS using the instructions here...

https://technet.microsoft.com/en-ca/library/cc732906%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Then you will submit the CSR to an SSL certificate provider, like GoDaddy/Verisign/Thawte/etc, and they will issue the certificate that you will import into your PC.  Each provider would have instructions on their site as well that outline the process for each product.
Will Szymkowski

Digi Cert has a complete tutorial on how to accomplish this. You need to start by generating a CSR and sending it to the 3rd Party SSL provider.
https://www.digicert.com/csr-creation-microsoft-iis-7.htm

Will.
Thomas N

ASKER
Do I still need to do that if its an internal website?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Thomas N

ASKER
send it to a 3rd party I mean.
ASKER CERTIFIED SOLUTION
Will Szymkowski

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Thomas N

ASKER
Thanks Will. Is it possible to find out if I already have an internal Root CA already setup? I was handed over this small network and not sure if its possible to find without digging around manually.
Will Szymkowski

All you need to run to verify if there is an internal Domain CA is running the following command...
certutil -TCAinfo

Open in new window


Will.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Thomas N

ASKER
This is what I get when I run it. It pulls up a "server" and a "server1". So is it the CA name or the machine name?



C:\Users>certutil -TCAinfo
================================================================
CA Name: Wireless

Machine Name: server.domain.net

DS Location: CN=Wireless,CN=Enrollment Services,CN=Public Key Services,CN=Servic
es,CN=Configuration,DC=domain,DC=net

Cert DN: CN=Wireless, DC=domain, DC=net

CA Registry Validity Period: 2 Years -- 4/8/2017 12:56 PM
 NotAfter: 3/5/2018 10:58 AM

Connecting to server.domain.net\Wireless ...
Server "Wireless" ICertRequest2 interface is alive

  Enterprise Root CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Wireless, DC=domain, DC=net
  NotBefore: 3/5/2013 10:54 AM
  NotAfter: 3/5/2018 10:58 AM
  Subject: CN=Wireless, DC=domain, DC=net
  Serial: 753194f68ef2718b431217094313e9e0
  Template: CA
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
  Issuer: CN=Wireless, DC=domain, DC=net
  NotBefore: 3/5/2013 10:54 AM
  NotAfter: 3/5/2018 10:58 AM
  Subject: CN=Wireless, DC=domain, DC=net
  Serial: 753194f68ef2718b431217094313e9e0
  Template: CA
  ab 84 3a 7a 63 f8 34 9b 9c 4c 5b ab 13 63 a3 91 f7 67 99 20
A certification chain processed correctly, but one of the CA certificates is not
 trusted by the policy provider. 0x800b0112 (-2146762478)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[1]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[2]: Machine (Computer)
Validated Cert Types: 3

================================================================
CA Name: domain-server1-CA

Machine Name: server1.domain.net

DS Location: CN=domain-server1-CA,CN=Enrollment Services,CN=Public Key Service
s,CN=Services,CN=Configuration,DC=domain,DC=net

Cert DN: CN=domain-server1-CA, DC=domain, DC=net

CA Registry Validity Period: 2 Years -- 4/8/2017 12:56 PM
 NotAfter: 3/5/2018 11:14 AM

Connecting to server1.domain.net\domain-server1-CA ...
Server "domain-server1-CA" ICertRequest2 interface is alive

  Enterprise Root CA

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domain-server-CA, DC=domain, DC=net
  NotBefore: 3/5/2013 11:04 AM
  NotAfter: 3/5/2018 11:14 AM
  Subject: CN=domain-server1-CA, DC=domain, DC=net
  Serial: 4dfdb8bcd6dc8b894fd0e8041644a90d
  Template: CA
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
  Issuer: CN=domain-Sserver1-CA, DC=domain, DC=net
  NotBefore: 3/5/2013 11:04 AM
  NotAfter: 3/5/2018 11:14 AM
  Subject: CN=domain-CA, DC=domain, DC=net
  Serial: 4dfdb8bcd6dc8b894fd0e8041644a90d
  Template: CA
  44 e4 00 98 0e bd 03 5d 12 a4 d3 c1 e0 7c 49 c8 69 0f 37 20
A certification chain processed correctly, but one of the CA certificates is not
 trusted by the policy provider. 0x800b0112 (-2146762478)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[1]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[2]: EFSRecovery (EFS Recovery Agent)
Cert Type[3]: EFS (Basic EFS)
Cert Type[4]: DomainController (Domain Controller)
Cert Type[5]: WebServer (Web Server)
Cert Type[6]: Machine (Computer)
Cert Type[7]: User (User)
Cert Type[8]: SubCA (Subordinate Certification Authority)
Cert Type[9]: Administrator (Administrator)
Validated Cert Types: 10

================================================================
server.domain.net\Wireless:
  Enterprise Root CA
  A certification chain processed correctly, but one of the CA certificates is n
ot trusted by the policy provider. 0x800b0112 (-2146762478)
  Online

sscvu01.domain.net\domain-server1-CA:
  Enterprise Root CA
  A certification chain processed correctly, but one of the CA certificates is n
ot trusted by the policy provider. 0x800b0112 (-2146762478)
  Online

CertUtil: -TCAInfo command completed successfully.
Will Szymkowski

Based on the out-put domain-server1-CA is the internal CA for this domain. You will then need to create a Web Server Template and issue it to the Web Server you want to use SSL.

Will.
Thomas N

ASKER
ok let me try and come back to reward points
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Seth Simmons

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.