Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA

 

There may be times when a machine that is not a domain member needs to obtain a machine certificate from a Microsoft stand-alone CA. While domain members can use autoenrollment and the Certificates stand-alone snap-in to obtain a machine certificate from an enterprise CA, both domain and non-domain members need to use the Web enrollment site to obtain a machine certificate from a stand-alone CA.

 

Note:
Please see ISA Server 2000 Exchange Server 2000/2003 Deployment Kit articles Obtaining a Certificate via Autoenrollment and Obtaining a Certificate via the Certificates MMC on how to assign machine certificates to domain members via autoenrollment and the Certificates MMC.

 

Obtaining a machine certificate for L2TP/IPSec connections via the standalone CA Web enrollment site involves two steps:

 

• Request and install an Administrator certificate from the Web enrollment site
• Copy the stand-alone CA’s self-signed CA certificate into the machine’s list of Trusted Root Certification Authorities

 

Note:
If a domain administrator installed the stand-alone CA on a domain member server, then the CA certificate of the stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users and computers. You not need to copy the stand-alone CA’s self-signed CA certificate into the machine list of Trusted Root Certification Authorities under these circumstances. However, you will always need to many copy the CA’s certificate for non-domain members.

 

Requesting a Machine Certificate from the Stand-alone CA Web Enrollment Site

 

Perform the following steps to obtain a machine certificate from a stand-alone CA Web enrollment site:

 

Note:
The procedures list below can be used at the ISA Server firewall if the firewall is not a member of the internal network domain. You should use the Certificates MMC stand-alone snap-in or autoenrollment if the ISA Server firewall is a member of the internal network domain.

 

1. At the machine for which you wish to obtain a machine certificate, open Internet Explorer and type in the URL http://<ip_address>/certsrv or http://<fqdn>/certsrv, where <ip_address> and <fqdn> represent the IP address and the Fully Qualified Domain Name of the certificate authority, respectively. In this example we assume that that the machine is on the internal network, behind the ISA Server firewall. External network clients have the option to obtain certificates from an enterprise CA if that CA is published. Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit Publishing a Web Enrollment Site  for information on how to publish a Microsoft Certificate Authority. Press ENTER after typing in the URL. Enter the User Name, Password and Domain  of a domain administrator and click OK (figure 1).

 

Figure 1

 

2. Click the Request a Certificate link on the Welcome page of the Microsoft Certificate Services Web enrollment site (figure 2).

 

Figure 2

 

3. Click the Advanced certificate request link on the Request a Certificate  page (figure 3)

 

Figure 3

 

4. Click the Create and submit a request to this CA link on the Advanced Certificate Request page (figure 4)

 

Figure 4

 

5. On the Advanced Certificate Request page (figure 5), Enter the identifying information text boxes. You must enter this identifying information when requesting a certificate from the stand-alone CA because the stand-alone CA does not “know” you and cannot verify your identity. Select the IPSec Certificate option in the Type of Certificate Needed drop down list (figure 5A). Place a checkmark in the Store certificate in the local computer certificate store checkbox. NOTE: you must be logged on with local administrator rights to add certificates to the local machine certificate store. You can leave all the other options at the default settings. Scroll down to the bottom of the page and click the Submit button.

 

Figure 5

 

Figure 5A

 

6. Click Yes on the Potential Scripting Violation dialog box (figure 6). This dialog box informs you that the Web site is requesting a new certificate on your behalf and that you should trust the Web site before continuing.

 

Figure 6

 

7. You are presented with the Certificate Pending page (figure 7). The default setting on a stand-alone CA is to require administrator intervention before issuing a certificate. The reason for this is that the CA has no method of confirming the identity and the validity of the information provided by the certificate requestor. At this point you must go to the stand-alone CA and grant the certificate request. Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Creating a Standalone CA for information on installing and configuring a Windows Server 2003 stand-alone CA.  Approve the certificate then proceed to the next step.

 

Figure 7

 

8. Click the View the status of a pending certificate request on the Welcome page of the certificate server Web enrollment site (figure 8).

 

Figure 8

 

9. Select the link to your certificate on the View the Status of a Pending Certificate Request page. In this example, the link says IPSec Certificate (Sunday June 15 2003 10:35:43 PM).

 

Figure 9

 

10. Click the Install this certificate link on the Certificate Issued page (figure 10).

 

Figure 10

 

11. Click Yes in the Potential Scripting Violation dialog box that informs that the Web site is adding one more certificates to the computer.

 

Figure 11

 

12. The Certificate Installed page appears confirming that the certificate was successfully installed.

 

Figure 12

 

 

Copying the Stand-alone CA’s Self-Signed Certificate into the Trusted Root Certification Authorities Certificate Store

 

When either a domain or a non-domain member requests a machine certificate to the stand-alone CA, the machine certificate is added to the machine’s Personal certificate store. However, the standalone CA’s self-signed certificate is not automatically added to the Trusted Root Certification Authorities store. You will need to take care of this step manually.

 

Note:
If a domain administrator installed the stand-alone CA on a domain member server, then the CA certificate of the stand-alone CA will be automatically entered into the Trusted Root Certification Authorities store for all domain users and computers. You not need to copy the stand-alone CA’s self-signed CA certificate into the machine list of Trusted Root Certification Authorities under these circumstances. However, you will always need to many copy the CA’s certificate for non-domain members.

 

 

Perform the following steps to copy the enterprise CA’s self-signed certificate into the Web client’s Trusted Root Certification Authorities Certificate store:

 

1. At the Web client machine that received the certificate, click Start and then click Run. Type mmc in the Open text box and click OK.
2. In the Console1 window, click the Console menu and click the Add/Remove Snap-in command (figure 10).

 

Figure 10

 

3. In the Add/Remove Snap-in dialog box, click the Add button (figure 11).

 

Figure 11

 

4. In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins and then click the Add button (figure 12).

 

Figure 12

 

5. On the Certificates snap-in page, select the Computer account option and click Next (figure 13).

 

Figure 13

 

6. On the Select Computer page, select the Local Computer option and click Next (figure 14).

 

Figure 14

 

7. On the Add Standalone Snap-in dialog box, click the Close button (figure 15).

 

Figure 15

 

8. On the Add/Remove Snap-in dialog box, click the OK button (figure 16).

 

Figure 16

 

9. In the Console1 window, expand the Personal node in the left pane of the console and then click on the Personal\Certificates node. You will see the computer certificate issued to this machine in the right pane of the console (figure 17). Double click on the certificate to open the certificate’s Properties dialog box.

 

Figure 17

 

10. Click on the Certificate Path tab in the Certificate dialog box. Notice the red “x” on the root certificate. This indicates that this machine does not trust the CA that issued the machine certificate. Click on the CA certificate that has the red “x” on it. This makes the View Certificate button available. Click on the View Certificate button (figure 18).

 

Figure 18

 

11. Another Certificate dialog box opens. This dialog box provides the details of the Certificate Authority’s certificate. Click on the Details tab. You can export this certificate to a file. Click on the Copy to File button (figure 19).

 

Figure 19

 

12. Read the information on the Welcome to the Certificate Export Wizard page and click Next (figure 20).

 

Figure 20

 

13. Select both the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and Include all certificates in the certification path if possible options on the Export File Format page. Click Next (figure 21).

 

Figure 21

 

14. Type in a file name and path in the File name text box on the File to Export page (figure 22). You do not need to type in a file extension. The file extension is added for you automatically.

 

Figure 22

 

15. Review the settings on the Completing the Certificate Export Wizard page and click Finish (figure 23).

 

Figure 23

 

16. Click OK on the Certificate Export Wizard dialog box that informs you the The export was successful (figure 24).

 

Figure 24

 

17. Click OK in the Certificate dialog box for the CA certificate (figure 25).

 

Figure 25

 

18. Click OK in the Certificate dialog box for the machine certificate (figure 26).

 

Figure 26

 

19. Expand the Trusted Root Certification Authorities node in the left pane of the console and right click on the Trusted Root Certification Authorities\Certificates node. Point to All Tasks and click on Import (figure 27).

 

Figure 27

 

20. Read the information on the Welcome to the Certificate Import Wizard page then click Next (figure 28).

 

Figure 28

 

21. Use the Browse button on the File to Import page to locate the CA certificate you saved to the local hard disk. The name and path to the certificate will appear in the File name text box. Click Next (figure 29).

 

Figure 29

 

22. Confirm that the Place all certificates in the following store option is selected and that it says Trusted Root Certification Authorities in the Certificate store text box on the Certificate Store page (figure 30). Click Next.

 

Figure 30

 

23. Confirm the settings in the Completing the Certificate Import Wizard dialog box, then click Next (figure 31).

 

Figure 31

 

24. Click OK on the Certificate Import Wizard dialog box that informs you that The import was successful (figure 32).

 

Figure 32

 

25. Select the Trusted Root Certificate Authorities\Certificates node in the left pane of the console and press the F5 key on the keyboard to refresh the view. You will now find the CA’s certificate listed in the right pane.

 

Figure 33

 

26. Click on the Personal\Certificates node in the left pane of the console and then double click on the machine certificate that appears in the right pane. Click on the Certification Path tab in the Certificate dialog box. The red “x” is removed from the CA’s entry in the Certification path because the CA is now trusted.

 

Figure 34