HOW TO ENABLE ACTIVE DIRECTORY CERTIFICATE SERVICE IN WINDOWS SERVER 2008 R2 sastechvision.in

How to Enable Active Directory Certificate Service in Windows Server 2008 R2

In this posts I am covering the steps on how to enable “Active Directory Certificate Service” in Windows 2008 R2

1. Open the “Server Manager” and select “Active Directory Certificate Service” in your Domain Controller Server

Add Role Wizard Server Roles Active Diretory Cetificate Services SAS Techvision.in

2. Click Next :-

Add Roles Wizard AD CS SAS Techvision.in

3. Click Next and select the Role services like in the below screen shot.

Add Roles Wizard Roles Services SAS Techvision.inAdd Roles Wizard Roles Services SAS Techvision.in

4. Here I am selecting Enterprise as my setup type , click next

Add Roles Wizard Setp Type Enterprise SAS Techvision.in

5. Select “Root CA” and click next.

Add Roles Wizard CA Type Root CASAS Techvision.in

6. Select “Create a new private key” and click next.

Add Roles Wizard private Key Create New Private Key SAS Techvision.in

7. Give the names and click next (remember this will be Certificate Authority name)

Add Roles Wizard CA Name SAS Techvision.in

8. Set the validity period and click next.

Add Roles Wizard Validty period SAS Techvision.in
  1. Configure the certificate database location and click next.
Add Roles Wizard Certificate Database SAS Techvision.inAdd Roles Wizard Certificate Database SAS Techvision.in

10. Choose a certificate for SSL encryption (use the recommended)

Add Roles Wizard Server Authentication Certificate SAS Techvision.in

11. Click Next

Add Roles Wizard Web Server (IIS) SAS Techvision.in

12. After enabling web server it will automatically select the required services.

Add Roles Wizard Role Services SAS Techvision.in

13. Now we are done with manual selections, just click Install and it will install the selected roles and services.

Add Roles Wizard Confimation SAS Techvision.in

Once we are done with the installation we can see the AD Certification service in the server manager.

Server Manager SAS Techvision.in

Once it is done, for the trust to work we must need to take the certificate from the DC and need to import it in the local (SharePoint server where we are trying to add a domain certificate )Certification Authorities (Root) certificate store .

For that first we need to take the certificate from the machine which has the AD certificate Service role enabled. By default it will be located under here: (Extension of the file will be .crt)

C:\WIndows\System32\Certsrv\CertEnroll

Once you got the certificate now you can go ahead and import it in the root certification authorities folder. For that do the following.

1. Start –> run –> type “mmc”

2. It will open a console window, from the file menu select “Add/Remove Snap in”

3. Select the “Certificates” snap in and add it.

Add or Remove Snap ins Techvision.in

4. Once it is done then import the certificate to the “Trusted Root Certification Authorities”

Certificate All Tasks Techvision.in

If you didn’t do it then you may get the below error once you try to create a domain certificate in IIS 7.

“A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109”

 

%d bloggers like this: