How to enable “Active Directory Certificate Service” in Windows Server 2008 R2 ?
Recently I had tried to setup SSL on a SharePoint website. I was using a SharePoint server which was connected to a Domain Controller and the host entries were there in the DC to access my sites. If that is the scenario if we try to use self signed certificate it won’t work, we must need give AD certificate service role to you DC (thus it will be your Certificate Authority) or you can get a certificate from certificate provider by giving a certificate request.
I will be giving the details of how to setup SSL in my later posts. In this posts I am covering the steps on how to enable “Active Directory Certificate Service” in Windows 2008 R2
1. Open the “Server Manager” and select “Active Directory Certificate Service” in your Domain Controller
Machine
2. Click Next :
3. Click Next and select the services like in the below screen shot.
4. Here I am selecting Enterprise as my setup type , click next
5. Select “Root CA” and click next.
6. Select “Create a new private key” and click next.
7. Give the names and click next (remember this will be Certificate Authority name)
8. Set the validity period and click next.
9. Configure the certificate database location and click next.
10. Choose a certificate for SSL encryption (use the recommended)
11. Click Next
12. After enabling web server it will automatically select the required services.
13. Now we are done with manual selections, just click Install and it will install the selected roles and services.
Once we are done with the installation we can see the AD Certification service in the server manager.
Once it is done, for the trust to work we must need to take the certificate from the DC and need to import it in the local (SharePoint server where we are trying to add a domain certificate )Certification Authorities (Root) certificate store .
For that first we need to take the certificate from the machine which has the AD certificate Service role enabled. By default it will be located under here: (Extension of the file will be .crt)
C:\WIndows\System32\Certsrv\CertEnroll
Once you got the certificate now you can go ahead and import it in the root certification authorities folder. For that do the following.
1. Start –> run –> type “mmc”
2. It will open a console window, from the file menu select “Add/Remove Snap in”
3. Select the “Certificates” snap in and add it.
![clip_image002[7]](https://msdntnarchive.z22.web.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_msdn/sowmyancs/WindowsLiveWriter/HowtoenableActiveDirectoryCertificateSer_8C08/clip_image002%5B7%5D.jpg "clip_image002[7]")
4. Once it is done then import the certificate to the “Trusted Root Certification Authorities”
![clip_image004[3]](https://msdntnarchive.z22.web.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_msdn/sowmyancs/WindowsLiveWriter/HowtoenableActiveDirectoryCertificateSer_8C08/clip_image004%5B3%5D.jpg "clip_image004[3]")
If you didn’t do it then you may get the below error once you try to create a domain certificate in IIS 7.
“A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109”
Comments
Anonymous
July 17, 2010
Check out my step-by-step guide for installing Windows 2008 R2 certificate authority server eyalestrin.blogspot.com/.../windows-2008-r2-certification-authority.htmlAnonymous
July 18, 2010
Good one Eyal..thanks for sharing it here.Anonymous
March 02, 2011
So where did you get that certificate you choose in step 10 ? Thought this how-to was to set up self-signed.Anonymous
March 03, 2011
It will be there , configuration wizard will provide it for you.Anonymous
June 22, 2012
track my certificate authority collection COA CSR CMS MICROSOFT Support Userclickfree Partner Golden TrustAnonymous
October 18, 2012
can you tell me that is this Enabling SSL in AD optionAnonymous
July 03, 2013
the cert in step 10 is not there. any ideas?Anonymous
January 22, 2014
Thank you Sir but here. I have another query. I have already installed AD but today it shows its services are disabled then now what should I do to resolve this. I already seen in services.msc here it shows that AD services are disabled. I tried to start AD services but it not working... Please sir help meAnonymous
March 11, 2014
Check this:
confluence.atlassian.com/.../Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory
- Anonymous
August 14, 2014
step 10 doesn't exist in my setup how did you get it??