On this put up discover ways to deploy a standalone root Certificates Authority (CA) on a Home windows Server 2025 machine that isn’t joined to Lively Listing. Additionally discover ways to configure the online enrollment interface so purchasers can request certificates utilizing a browser.
A standalone root CA is helpful when:
- You solely want certificates trusted by a restricted set of machines.
- You don’t need to receive certificates from a industrial supplier.
- You’re getting ready an offline root CA state of affairs (coated individually).
Set up Lively Listing Certificates Companies (Standalone Root CA)
1. Open Server Supervisor.
2. Choose Handle then Add Roles and Options.
3. Select Position-based or feature-based set up.
4. Choose the native server.
5. Examine Lively Listing Certificates Companies.
6. Click on Add Options when prompted.
7. Click on Subsequent by means of the wizard till the **Position Companies** web page.
8. Choose Certification Authority solely.
9. Click on Set up and anticipate completion.
Configure the Certification Authority
1. In Server Supervisor, click on the notification flag.
2. Choose Configure Lively Listing Certificates Companies.
3. Enter credentials.
4. On Position Companies, guarantee Certification Authority is chosen.
5. For Setup Kind, choose Standalone CA.
6. Select Root CA on the CA Kind web page.
7. Choose Create a brand new personal key.
8. Enhance the important thing size to 4096 and settle for the opposite defaults.
9. Settle for the default CA title (or customise if desired).
10. Maintain the default certificates validity interval (5 years).
11. Settle for the default database places.
12. Affirm the configuration and permit it to finish.
13. Open the Certification Authority console from Instruments to confirm the CA was created.
Create an SSL Certificates for Internet Enrollment
The CA certificates itself doesn’t embody topic different names (SANs), so that you want a separate SSL certificates for the web site in any other case net enrollment will throw errors.
1. Open PowerShell and change to the basis listing.
2. Create and enter a temp folder.
3. Use Notepad to create servercert.inf with particulars reminiscent of:
[Version]
Signature="$Home windows NT$"[NewRequest]
Topic="CN=ws25-sa-ca"
KeyLength=2048
KeySpec=1
KeyUsage=0xA0
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Supplier"
RequestType=PKCS10
FriendlyName="IIS Server Cert"[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication[Extensions]
2.5.29.17 = "{textual content}"
_continue_ = "dns=ws25-sa-ca"
; Add extra if wanted, e.g., _continue_ = "& " for extra DNS names
4. Save the file.
5. Run certreq -new specifying the INF file and output a .req file.
certreq -new C:tempservercert.inf C:tempservercert.req
6. Submit the request:
* Run `certreq -submit` with the request file.
certreq -submit -attrib "CertificateTemplate:WebServer" C:tempservercert.req C:tempservercert.cer
* Choose the standalone CA when prompted.
* The request will present as **Pending**.
7. Open the Certification Authority console.
8. Below Pending Requests, right-click the request and choose All Duties → Subject.
9. Retrieve the certificates:
* Use `certreq -retrieve` with the request ID and output a `.cer` file.
certreq -retrieve 2 C:tempservercert_issued.cer
10. Set up the issued certificates with `certreq -accept` or by double-clicking.
certreq -accept C:tempservercert_issued.cer
Set up the Internet Enrollment Characteristic
1. Open Add Roles and Options once more in Server Supervisor.
2. Click on Subsequent till the Server Roles web page.
3. Develop Lively Listing Certificates Companies.
4. Choose Certification Authority Internet Enrollment.
5. Click on Subsequent and proceed. This additionally installs IIS mechanically.
6. When completed, click on Shut.
7. Run Configure Lively Listing Certificates Companies once more.
8. Choose Certification Authority Internet Enrollment and click on Configure.
Bind the SSL Certificates in IIS
1. Open IIS Supervisor.
2. Choose Default Internet Website.
3. Within the Actions pane, select Bindings.
4. Click on Add.
5. Set Kind to https.
6. Enter the server’s hostname.
7. Choose the SSL certificates you issued earlier (e.g., `IIS serviceert`).
8. Click on OK and shut IIS Supervisor.
Entry the Internet Enrollment Web page
1. Open a browser.
2. Navigate to:
`https://
Instance:
`https://WS25-SA-CA/certsrv`
3. The Certificates Enrollment net interface ought to now load securely.
