Information Technology Reference
In-Depth Information
status of Unavailable. Select the certificates you want to enroll in, and click the Details item to
see how the certificate key can be used and the certificate's validity period. This method for
requesting certificates can be used only with enterprise CAs.
In most cases, autoenrollment is preferred over manual requests. If you want users to know
their certificate information or if you have specialized templates that only a few users require,
you might want to use manual requests.
Configuring Web Enrollment
After autoenrollment, the most common certificate
request method is Web enrollment, which requires installing the Certification Authority Web
Enrollment role service in Server Manager. This role service enables users to request and renew
certificates, retrieve CRLs, and enroll for smart card certificates via their Web browsers. Web
enrollment is the main method for accessing CA services on a standalone CA because, as mentioned
previously, autoenrollment and the Certificates snap-in can be used only with enterprise CAs.
To access the Certification Authority Web Enrollment role service, users simply open a
browser and go to
http://CAServer.domain/certsrv
;
CAServer
is the name of the CA server, and
domain
is the domain name. The server with the Web Enrollment role service installed can be,
but need not be, the CA server. A server configured for Web enrollment is called a
registration
authority
or a
CA Web proxy
.
Activity 11-6: Installing Web Enrollment
Time Required:
20 minutes
Objective:
Install Web enrollment.
Description:
You have several certificates that you don't want to use autoenrollment for and have
found that using the Certificates snap-in is cumbersome for users. You install the Certification
Authority Web Enrollment role service and test it by requesting a certificate from your Vista
computer. (If you want to test the configuration from your CA Server or domain controller, you
must enable IE to run ActiveX controls.)
1. Log on to
Server1XX
as Administrator and open Server Manager, if necessary.
2. In the left pane, click to expand the
Roles
node and then click
Active Directory Certificate
Services
. Click
Add Role Services
in the right pane.
3. Click
Certification Authority Web Enrollment
. When prompted, click
Add Required Role
Services
, and then click
Next
.
4. In the Web Server (IIS) window, click
Next
. In the Select Role Services window, click
Next
.
In the Confirm Installation Selections window, click
Install
.
5. When the installation is finished, click
Close
.
6. IIS must have a Web Server Certificate. To request one, click
Start
, point to
Administrative
Tools
, and click
Internet Information Services (IIS) Manager
.
7. In the left pane of IIS Manager, click the
Server1XX
node. In the middle pane, double-click
Server Certificates
.
8. In the Actions pane, click
Create Domain Certificate
to start the Create Certificate Wizard.
In the Distinguished Name Properties window shown in Figure 11-13, fill in the following
information:
• Common name:
server1XX.w2k8adXX.com
• Organization:
Server 2008 AD Class
• Organizational unit:
Your name
• City/locality:
Your city
• State/province:
Your state or province
• Country/region:
Your country
9. Click
Next
. In the Online Certification Authority window, click
Select
, click
w2k8adXX-
Server1XX-CA
, and then click
OK
. In the Friendly name text box, type
server1XX.w2k8adXX.com
, and then click
Finish
.
11
Search WWH ::
Custom Search