Once We Have Successfully Created Our Certificate On The CA Server, And It Is Ready To Be Published, We Must Then Test It On The Client Computers To Make Sure That It Works Properly.
Windows Server 2019, Note that the method of submitting a certificate request through client computers is not always the same, and some users prefer or have to submit a certificate request through a web interface instead of the MMC console. In this article, we will show how to use both methods.
Request a certificate through the MMC console Windows Server 2019
Our new Certificate template has been created and successfully embedded in the CA console and is officially released. Now is the time to test the pattern. To do this, log in to one of the regular client computers. There are two standard ways to apply for a new certificate through client computers. The first method is to use a good and old MMC console. Run the MMC client from the computer, select Add / Remove Snap-in from the File menu, and select Certificate.
When you select the certificates from the list of available snap-ins and click the Add button, several additional options are provided to choose the Certificate you want to open. You can select from an available user account, Service Account, or computer account certificates.
Since we are looking to test the new certification template we have created and published within the CA console successfully, we are ready to use it formally.
We also want to test the new Certificate we have created and have it ready to use on the same client computer, so select the Computer account and click Finish.
Next, click the Finish button again to select the default option: Local computer. If you type CERTLM MSC in the Run dialog, MMC will automatically execute the required snap-in and open it. It will store the local machine certificate inside the MMC. Newer operating systems, such as Windows 8 and 10 and Windows Servers 2012, 2012R2, 2016, and 2019, have the MSC shortcut to directly open the Certificate Store for the local computer.
It is where you need to go when installing certificates on a computer or server.
A special place inside the Certificate Store allows you to install your Certificate in the Personal folder. True, this can be bypassed-but not unless you’re a techie who knows what he’s doing. If you click on this folder, you will see that we have not added anything to that list at this time:
To apply for a new certificate to our CA server, right-click on the Personal folder, All Tasks, and Request New Certificate. In the wizard that opens, click the Next button once. We are going.
Now you see a screen that looks like something needs to be done; in most cases, we send the certificate request to one of the business partners or domain machines, so we do not have much to do on this page. For this reason, click the Next button. The wizard will then query the Active Directory and show all available certificate templates ready for release:
The Request Certificate page is displayed with a list of available templates.
It is a dynamic list, and its contents depend on the computer you are logged in to, as well as the permissions of your account. When creating the new certificate template, I went to the Security tab and set it up.
We defined who and what can get the new certificate template in the tab. If we represent a specific group of domain computers, likely, the new DirectAccess Machine template will not display in the list above.
However, since I have defined this template so that all computers can receive it, I will see my Certificate here.
If you do not see your new template in this list, click the Show All Templates check box. It will give you a complete list of all the templates available on the CA server for each explanation, as well as for certificates that are not available, explaining why they are not available.
Check the box next to each of the certificates you need and click Enroll.
The console will now spin for a few seconds as the CA server processes your request to obtain a new certificate that your computer needs, along with the relevant criteria specified in the Certificate.
When the process is complete, you will see that our new machine certificate is now in Personal | The Certificate is located inside the MMC. If you double-click on the Certificate, you will be able to check the properties to make sure that the settings you are considering are listed in the Certificate:
Request a certificate through the web interface
We typically use MMC to apply for certifications, but there is another platform that you can use to apply for and issue certificates. Of course, the application of the above solution depends on how the CA server is built.
When we installed the AD CS role, we ensured that the Certification Authority and Certification Authority selected Web Enrollment options. The second option is essential, and we will examine it later. We do not have a web interface to run our CA server without Web Enrollment, so the above section is unavailable.
If the CA server does not have the above role, you need to go to the Server Manager and add the current position to it:
Once the Certification Authority Web Enrollment is installed on the CA server, a website will run on your server that you can access through a web browser and within your network. This website is handy for users to apply for a certificate through the web interface. It’s good to provide documentation or tutorials for your users to follow the certification process through the website instead of following the MMC console.
Additionally, if you want to allow computers outside of your CA server network to request certification, this is difficult for them through MMC. For example, if you have a home user who has to apply for a new certificate but does not have a full VIP tunnel, the MMC console will likely not connect to the CA server and receive the Certificate.
We must use the client’s computer again to access and test this website.
This time, instead of opening the MMC, open the browser and enter the address HTTP: // <CASERVER> / certsrv into the browser.
Our URL starts with the HTTPS protocol. This website is configured to use the HTTPS protocol instead of the HTTP protocol to allow the website to issue certificates. When a website uses HTTPS on a CA server, you will ensure that the Certificate issued is encrypted when sending. Certification is impossible via HTTP, as this information is sent to the client without encryption.
The clicking request will show a certificate link that you can use to request a new certificate from the CA server on Windows Server 2019.
When you have users who intend to receive the Certificate through the web interface, you are typically issuing a user-based certificate, in which case we have a straightforward solution to automate the Certificate of the computer automatically and without any interaction with Have a user to export. Since we ask our users to log in first and then request a new User Certificate, on the next page, we have to select the relevant link:
You can behave. Suppose you are not interested in a user certificate. Instead of clicking on the link above, you want to use the web interface to get a machine certificate, a web server certificate, or any other type of Certificate. In that case, you should click on the advanced certificate request link and follow the instructions on the view page.
By clicking on the link above and pressing the Submit button, the Certificate will be received and generated from the CA server, and a link will show you that you can use that link to install the Certificate. Click on the link.
It will install the CertCertificateated for you on your computer.
The image below shows that the website has responded to my request and announced that the CertCertificate had been successfully installed. You will also know that I have opened the current user certificate in MMC to make sure the CertCertificatelly exists:
In the next issue of Windows Server 2019 free training, we will continue the above topic.
Windows Server 2019