Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Log on to your CA server and open up the CA snap-in by opening up the Server Manager and navigating to Roles > Active Directory Certificate Services > [certificate server name] > Certificate Templates.

002 CA

Don’t skip this step since it’s really easy to get your views confused.  On the right side, select More Actions under the Certificate Templates menu and select Manage.  This opens the Certificate Templates Console, which will allow you to actually make changes to certificates instead of just viewing their properties.  NOTE: on many of the default templates, you’ll see most options grayed out so they can’t be changed.  Using this view you can make copies of the templates, which will give you access to most of the options available, by right-clicking a template and choosing: Duplicate.

003 manage

In the Certificate Templates Console, select the certificate template that you want to be able to create requests from and choose Properties.  In the screen shot, I’m using the Web Server certificate.

004 properties

Go to the Security tab.  Choose Add, to add an account to the Group or user names box.

005 add permissions

Add Computers to the Object Types in the Select Users, Computers, Service Accounts, Groups dialog box and enter the Computer name (or AD group containing the computers, ie. Web Servers) and select Check Names.  It is very important that you select a computer or group of computer accounts to do this as the requests are going to come from computers, not the user logged into the computer.

006 select users

After returning to the Properties dialog, highlight the new account and select Enroll and Read in the permissions panel.  Click OK.  You are done with editing here so you can close out of any dialogs and the server if you no longer need it for something else.

007 read and enroll

[ad#Google Adsense-1]

Open a session to the server that you want to make the request from and open the Certificates snap-in by going to Start > Run > mmc.  In the MMC (Microsoft Management Console), go to File > Add/Remove Snap-In.  In the Add/Remove Snap-Ins dialog, select Certificates and press Add which will open a new dialog box.  Select Computer Account and click Next.  Then select Local Computer and click Finish.  Press OK to close the Add/Remove Snap-In dialog.

008 certificates add009 computer account

010 local computer

Choose Certificates > Personal > Certificates as shown in the screen shot below.  Right Click on the nested Certificates and choose All Tasks > Request New Certificate.

011 certificates012 request new cert

In the Certificate Enrollment window, click Next, and Next again at the Select Certificate Enrollment Policy window, leaving the default policy (Active Directory Enrollment Policy) highlighted.  You will now see the Template available for use, directly from this snap-in.  All done with no console or certutil.exe.

013 select

Make sure you provide the additional information for your cert if necessary by clicking on the link.  For Web Server certs, I typically add: CN (common name) = yourdomain.com, O (organization), OU (organizational unit), Locality (city), State, Country.

I hope this helps someone out.  My main problem was I kept adding my user to the permissions while trying to request a certificate with the computer account.

Good luck! Smile


4 thoughts on “Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s