Certificate Authority(CA) (7/n)

It’s not long until we will start needing certificates.
Whether it will be for certificate authentication or management access to Prime, CMX, WLC, M&M, ISE or anything else we don’t know yet, but we know we need a CA.

We won’t be able to cover everything in a single post, so I expect we’ll have a series of CA related posts for each product.

But getting started is “easy”.
We’ve decided that we’ll use the Domain Controller as a root-CA.
So just start the Server Manager -> “Add roles and features” -> Next -> Next -> Next -> add a checkmark to “Active Directory Certificate Services” -> Add Features -> Next -> Next -> Next -> and.. oh

So, I know we’ll need to be able to go to the ca/certsrv to request a certificate manually, but I haven’t installed Microsoft CA for.. a few years.. and I’m not sure which service is required here.

Here’s a technet article from Microsoft on the subject that also describe the difference between the Certificate Enrollment Web Service and Certification Authority Web Enrollment.

For the purpose of this experiment I selected all lines that start with the character “C”







And we can continue with… Next -> Next -> Next -> Install
This took about 2-3 minutes.

Now I should be able to get to, but the page gives me a 404 error page.

Some browsing for the issue showed me a user that had similar issues because they installed the service using the local computer admin account and not the domain admin account.

I was logged in as the local computer admin.

So I logged out, logged in as domain admin, un-installed the certificate services and re-installed them.
This did not change anything.

Going into “AD CS” menu in the Server Manager, I noticed a yellow line stating that additional configuration is required.


I press “more”, make sure I’ve used the correct credentials, press “next”, select “Certification Authority” and “Certification Authority Web Enrollment” and Next, Next (Enterprise CA), Next (Root CA), Next (Create a new private-key), next, accepting default values for common name at this point, and next, next, next, configure, close.

I got a popup box asking if I wanted to configure additional role services, so while we’re at it, why not.





Now I can add checkmarks to “Certificate Enrollment Web Service” and “Certificate Enrollment Policy Web Service”






I proceeded with next-next configure close accepting default values.

And now both and work correctly and we can go into defining templates to use.

There’s a single template that we will use the most, so I want to enable it right away for use via the certsrv portal, that’s the Web Server template.

So opening up “Certification Authority” on the DC, I can right-click “Certificate Templates” and slect “Manage”, which opens up the Certificate Templats Console







Now some Microsoft gal someone said I should never use the default built-in templates, so I right click the “Web Server” template and select “Duplicate Template”

In the “General” tab I’ll call this template WebServer_Escort and in the “Security” tab I’ll allow “Authenticated Users” to have “Enroll” permissions.

Then in the Certification Authority console, Iright click “Certificate Templates”, New -> Certificate Template to Issue,  find my WebServer_Escort and click OK.








And now I can use that template while requesting a certificate.









Leave a Comment