Advertisements

Windows Server 2012 Domain Certificates

lock and keyYou need SSL for secure web communication.  To configure SSL, you need to make or buy an SSL certificate. If you have no need to provide the outside world with secure web access, then it’s OK to make your own SSL certificate. Windows Server 2012 Essentials gives you a means to make your own SSL certificate quickly and easily.

Windows Server 2012 Essentials installs out of the box with several roles and features ready to go. Active Directory Certificate Services (AD CS) prompts you for various pieces of information during the initial configuration of Windows Server 2012 Essentials. (Hint: when you’re asked to name the root certificate, give it a name you will recognize as distinct.) If you intend to add users to a domain and use any of  the security or encryption features built into Windows Server 2012, then it is rather silly to use OpenSSL for any aspect of SSL.

Other versions of Windows Server come with no roles or features installed out of the box. You install what you need for the configuration you require.

If you’re using Windows Server 2012 Essentials and you plan to install Anywhere Access, you have to use AD CS. You don’t need to read further, unless you’re curious. All the relevant information is included in ‘Windows Server 2012 Essentials R2 and Anywhere Access’.  I’ve read that it is possible to use OpenSSL for Anywhere Access, but the required configurations are ridiculously complicated. Anywhere Access won’t accept an OpenSSL certificate exported from IIS. Besides, Anywhere Access is ridiculously easy to install and configure, giving you remote web access and / or SSTP VPN access from domain and non-domain computers.

In case you’re wondering, OpenSSL will work well for garden variety SSTP VPNs installed and configured the traditional way using Routing and Remote Access. If you’re using Windows Server 2012 Standard and want to keep installed roles and features at a minimum, it works well.  Just associate the certificate bound to port 443 with the secure certificate prompt on the Security tab in the properties box of Routing configuration and you’re good to go.

Internet Information Services (IIS) includes a feature that allows you to create a domain certificate.

Step 1 is to install  the Active Directory Certificate Services role if it’s not already installed. Since it’s likely you’re using Windows Server 2012 Essentials, I’ll assume you’re ready. If not and your need are basic, install it as an enterprise root server and include the Certificate Authority Web Enrollment option. The defaults should work well. Make sure to give the root certificate a distinctive name.   You will need access to the root certificate afterward to export it from Windows Server and into workstations and browsers. Finally, your router will need to have port 443 forwarded to your server.

_________________________

Create the Domain Certificate Using IIS

Start the Internet Information Services Manager and select Server Certificates.

DomainCert01

###

Click Create Domain Certificate.

DomainCert02

###

 Fill out the form. Make sure the URL you will use goes into the top line. Click Next.

DomainCert03

###

Select the root certificate to use. It will probably be the only file available. Type in the friendly name. This  is the name you will use to recognize the domain certificate later. Click Finish.

DomainCert04###

Done.

DomainCert05

____________________

Assuming you’re not going to use Anywhere Access, you’ll need to bind the certificate you just made to port 443. Select Default Web Site and, on the far right, click Bindings.

DomainCert06###

Click Add

DomainCert07###

Fill in the fields. Click OK.

DomainCert08###

Done. The Anywhere Access wizard performs the binding operation step automatically.

DomainCert09

Advertisements


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s