Share via

Configure SSL/TLS on a Web Site in the Domain with an Enterprise CA

  • Article

There are many web (HTTP) services that require secure sockets layer (SSL) / transport layer security (TLS). If you have an Windows Server-based Enterprise Certification Authority (CA), you can use the following instructions to get an SSL certificate configured for an Internet Information Services (IIS) web server on your domain.

 

Configure an appropriate certificate template for SSL certificate

  1. Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.
  2. Expand the certification authority so that you can see Certificate Templates.
  3. Right-click Certificate Templates and then click Manage. If you don't see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.
  4. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.
  5. In the General tab, under Template display name, type a name that you want to use for the template. For example, SSL Certificates.
  6. On the Security tab you must ensure the computer account has the ability to enroll for the template. To do so, click Add.
    • In Select Users, Computers, Service Accounts, or Groups, type the name of the user or group that you want to use for enrollment. Click Check Names, and then click OK.
    • Ensure that the user account or group that you want to use for enrollment is selected and then select the Allow checkbox that corresponds to the Enroll permission.
    • Click Add.
    • Click Object Types, select Computers, and then click OK.
    • Enter the name of the computer running IIS. Click Check Names, and then click OK.
    • Ensure that the computer account for the computer running IIS is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.
  7. On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox.
  8. On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
  9. Close the Certificate Templates console and return to the Certificate Authority console.
  10. In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  11. In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.

return to top

Obtain a certificate for IIS using the certificate template

  1. On the IIS server, open an MMC console. To do so, you can open a command prompt, the run dialog box, or Windows PowerShell, type mmc and then press ENTER.
  2. In the new MMC console (Console1) click File, and then click Add/Remove Snap-in.
  3. From the list of Available snap-ins, select Certificates and then click Add.
  4. Select Computer account and then click Next.
  5. In Select Computer the Local computer is selected by default. Click Finish and then click OK.
  6. Expand Certificates (Local Computer) and then right-click Personal. Click All Tasks, and then click Request New Certificate.
  7. On the Certificate Enrollment wizard, click Next.
  8. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and then click Next.
  9. On Certificate Enrollment, click Enroll. Click Finish.

return to top

Configure HTTPS on the Default Web Site

  1. On the IIS server, open the Internet Information Services (IIS) Manager.
  2. Expand the server and Sites nodes until you can see Default Web Site.
  3. Click Default Web Site.
  4. On the Actions pane, click Bindings.
  5. In Site Bindings, click Add.
  6. In Add Site Binding, set Type to https.
  7. Set SSL certificate to the certificate that you issued to the server. You can confirm you have the correct certificate by clicking View. The certificate's purpose should be Ensures the identity of a remote computer. To further verify, you can click the Details tab of the certificate. Select Enhanced Key Usage and ensure that it reads Server Authentication (1.3.6.1.5.5.7.3.1). Click OK.
  8. On Add Site Binding, click OK. On Site Bindings, click Close.

return to top

Additional Resources

See the following resources for more information on using CA Web Enrollment pages and HTTPS on Internet Information Server

return to top