Prerequisites
1. Create an account / CertAdmin with Domain Admin and Enterprise Admins Group privilege
- The account must belong to the local Administrators group for below services
- Standalone certificate authority
- Certification Authority Web Enrollment
- Online Responder
- The account must belong to the Enterprise Admin group
- Enterprise certification authority
- Certificate Enrollment Policy Web Service
- Certificate Enrollment Web Service
- Network Device Enrollment Service
2. Install IIS first: make sure default page is showing. (Important)
3. Once you installed Certificate Authority feature, you cannot change computer’s name.
A root CA is at the top of the PKI hierarchy and issues its own self-signed certificate. A subordinate CA receives a certificate from the CA above it in the PKI hierarchy.
- Private key ” use the option if you do not have a private key or want to create a new private key.
Tips & Errors:
1. If you don’t see any templates from web enrollment page (http://localhost/certsrv/Default.asp) during a generating a certificate.
Solution:
- Open a CA console and expand sub-folder and right click from Certificate Templates, then click “manage”
- From right side, click “properties” and go “Security”
- Add “CertAdmin” and allow “Full control”
- Restart CA service
2. cert generating error
- Try Chrome (error with explorer)
3. Access is denied
complete certificate request access denied
Solution URL
4. “The request contains no certificate template information.
5. Warning: it is a typical warning message when you issued from local CA.
6. If Complete Certificate Request from Server Certificates section, use another way
- Create a cert thru Web certificate enrollment.
- From the certificate, click “install”
- Store location: Current user and click “Next”
- Choose “Place all certi…..” and open “Browse..” and select “Trusted Root Certification Authorities” and then click “Okay”
- Check Server Certificates section to see the new Certificate is populated on the section.
References;