Windows Server 2019 – Issuing your new certificates

How to turn off IE enhanced security on Windows Server 2019

Next comes the part that trips up a lot of people on their first attempt. You now have a brand new template to issue, and we have verified that the permissions within that certificate template are appropriately configured so that any computer that is a member of our domain should be able to request one of these certificates, right? So our logical next step would be to jump onto a client computer and request a certificate, but there is first one additional task that needs to be accomplished in order to make that possible.

Even though the new template has been created, it has not yet been published. So at the moment, the CA server will not offer our new template as an option to the clients, even though security permissions are configured for it to do so. The process to publish a certificate template is very quick—only a couple of mouse clicks—but unless you know about the need to do this, it can be a very frustrating experience because nothing in the interface gives you a hint about this requirement.

Publishing the template

If your Certificate Templates Console is still open (the one where we were managing our templates), close it so you are back at the main certification-authority management console. Remember how we noticed that the list of available certificate templates that shows up here is much shorter? This is because only these certificate templates are currently published and available to be issued. In order to add additional templates to the published list, including our new one, we simply right-click on the Certificate Templates folder and then navigate to New | Certificate Template to Issue:

Now we are presented with a list of the available templates that are not yet issued. All you need to do is choose your new template from the list, and click on OK. The new template is now included in the list of published certificate templates, and we are ready to request one from a client computer:

If you look through this list and do not see your newly-created template, you may have to take an additional step. Sometimes simply waiting will resolve this behavior, because occasionally the reason that the new template does not show up in the list is because you are waiting for your domain controllers to finish replicating. At other times, you will find that, even after waiting for a while, your new template is still not in this list. In that case, you probably just need to restart the certification authority service to force it to pull in the new template information. To restart the CA service, you right-click on the CA’s name near the top of the Certification Authority management console, and navigate to All Tasks | Stop Service. The stopping of that service typically only takes a second or two, and then you can immediately right-click on the CA name again, and this time navigate to All Tasks | Start Service. Now, try to publish your new template again, and you should see it in the list:

Requesting a cert from MMC

Our new certificate template has been created, and we have successfully published it within the CA console, thereby making it officially ready for issuing. It’s time to test that out. Go ahead and log into a regular client computer on your network in order to do this. There are a couple of standard ways to request a new certificate on a client computer. The first is by using the good old MMC console. On your client computer, launch MMC and add the snap-in for Certificates. When you choose Certificates from the list of available snap-ins and click on the Add button, you are presented with some additional options for which certificate store you want to open. You get to choose between opening certificates for the User account, Service account, or Computer account. Since we are trying to issue a certificate that will be used by the computer itself, I want to choose Computer account from this list, and click on Finish:

On the next page, click on the Finish button again in order to choose the default option, which is Local computer. This will snap in the local machine’s computer-based certificate store inside MMC.

On newer operating systems, such as Windows 8 and 10 and with Windows Server 2012, 2012R2, 2016, and 2019, there is an MSC shortcut for opening directly into the local computer’s certificate store. Simply type CERTLM.MSC into a Run prompt, and MMC will automatically launch and create this snap-in for you.

When you are installing certificates onto a computer or server, this is generally the place you want to visit. Inside this certificate store, the specific location that we want to install our certificate into is the Personal folder. This is true whether you would be installing a machine certificate as we are doing here, or if you were installing an SSL certificate onto a web server. The local computer’s personal certificate folder is the correct location for both kinds of certificates. If you click on Personal, you can see that we do not currently have anything listed in there:

To request a new certificate from our CA server, we simply right-click on the Personal folder, and then navigate to All Tasks | Request New Certificate…. Doing so opens a wizard; go ahead and click on the Next button once.

Now you have a screen that looks like something needs to be done, but in most cases because we are requesting a certificate on one of our corporate, domain-joined machines, we actually do not need to do anything on the screen presented in the following screenshot. Simply click on Next and the wizard will query Active Directory in order to show all of the certificate templates that are available to be issued:

The Request Certificates screen is shown, which is the list of templates that are available to us. This list is dynamic; it is based on what computer you are logged into and what your user account permissions are. Remember when we set up the security tab of our new certificate template? It is there that we defined who and what could pull down new certificates based on that template, and, if I had defined a more particular group than domain computers, it is possible that my new DirectAccess Machine template would not be displayed in this list. However, since I did open up that template to be issuable to any computer within our domain, I can see it here:

If you do not see your new template in the list, click on the checkbox for Show all templates. This will give you a full list of all the templates on the CA server, and a description on each one as to the reason that it is currently unavailable for issuing.

Put a checkmark next to any certificates that you want, and click on Enroll. Now the console spins for a few seconds while the CA server processes your request and issues a new certificate that is specific to your computer and the criteria that we placed inside the certificate template. Once finished, you can see that our brand new machine certificate is now inside Personal | Certificates in the MMC. If you double-click on the certificate, you can check over its properties to ensure all of the settings you wanted to be pushed into this cert exist:

Requesting a cert from the Web interface

I typically use the MMC for requesting certificates whenever possible, but, in most cases, there is another platform from which you can request and issue certificates. I say in most cases because the existence of this option depends upon how the CA server was built in the first place. When I installed my AD CS role, I made sure to choose the options for both Certification Authority and Certification Authority Web Enrollment. This second option is important for our next section of text. Without the Web enrollment piece of the role, we would not have a web interface running on our CA server, and this part would not be available to us. If your CA server does not have Web enrollment turned on, you can revisit the role installation page in Server Manager and add it to the existing role:

Once Certification Authority Web Enrollment is installed on your CA, there is now a website running on that server that you can access via a browser from inside your network. Having this website is useful if you have the need for users to be able to issue their own certificates for some reason; it would be much easier to give them documentation or train them on the process of requesting a certificate from a website than expecting them to navigate the MMC console. Additionally, if you are trying to request certificates from computers that are not within the same network as the CA server, using MMC can be difficult. For example, if you have the need for a user at home to be able to request a new certificate, without a full VPN tunnel the MMC console is more than likely not going to be able to connect to the CA server in order to pull down that certificate. But since we have this certificate-enrollment website running, you could externally publish this website like you do with any other website in your network, using a reverse proxy or firewall in order to keep that traffic safe, and present users with the ability to hit this site and request certificates from wherever they are.

To access this website, let’s use our regular client computer again. This time, instead of opening MMC, I will simply launch Internet Explorer, or any other browser, and log into the website running at https://<CASERVER>/certsrv. For my specific environment, that exact web address is https://CA1/certsrv:

Our URL starts with HTTPS. This website must be configured to run on HTTPS instead of regular HTTP in order to allow the website to request certificates. It does not allow issuing certificates over HTTP because that information would be traveling in cleartext to the client. Enabling the website on the CA server for HTTPS ensures that the certificate issued will be encrypted while it travels.

Clicking on the Request a certificate link brings you into our wizard in which we can request a new certificate from the CA server. When you have users driving their own way through this web interface, it is typically for the purpose of a user-based certificate, since we have some pretty easy ways of automatically distributing computer-level certificates without any user interaction. We will discuss that in a moment. However, for this example, since we are asking our users to log in here and request a new User Certificate, on the next page, I will choose that link:

If you were not interested in a user certificate and wanted to use the web interface to request a machine certificate, a web server certificate, or any other kind of certificate, you could instead choose the link for advanced certificate request and follow the prompts to do so.

Next, press the Submit button, and, once the certificate has been generated, you will see a link that allows you to Install this certificate. Click on that link, and the new certificate that was just created for you has now been installed onto your computer. You can see in the following screenshot the response that the website gave me, indicating a successful installation, and you can also see I have opened up the current user certificates inside MMC in order to see and validate that the certificate really exists:

Comments are closed.