Access Denied: Obtaining a Server Certificate from Your Own CA

Configuring IIS to use HTTPS for a secure Web site requires you to install a server certificate. If you don't have a third-party Certification Authority from which to get a certificate, an alternative is to set up your own CA.

ITPro Today

September 19, 2004

3 Min Read
ITPro Today logo in a gray background | ITPro Today

I need to set up a secure extranet Web server so that we can exchange information with clients and contractors. When I try to configure Microsoft Internet Information Services (IIS) to use HTTPS for the site, IIS requires me to install a server certificate. I'm embarrassed to admit that management doesn't want to spend a couple hundred dollars to buy a Web Secure Sockets Layer (SSL) certificate from a third-party Certification Authority (CA) such as GeoTrust or VeriSign. Can I set up SSL on my server without installing a server certificate?

SSL requires a server certificate. However, you can set up your own CA, then obtain a certificate from it.

To set up a CA, simply install Certificate Services on an available server. Then, disconnect your Web server from the Internet and reconnect it to your internal LAN. (Although there is a way to request a certificate offline, I find this method easier unless I'm dealing with a server that hosts sites and that can't be taken down.) Open Microsoft Internet Explorer (IE), and enter the address of your CA followed by /certsrv (e.g., http://ca/certsrv) in the Address bar. IE will display the Microsoft Certificate Services Web page.

To request a certificate from your new CA, click the Request a certificate link. On the Request a Certificate page, click the advanced certificate request hotlink. Finally, click the Create and submit a request to this CA link. Be sure to enter the Web server's DNS name or IP address (depending on how you access the server from the Internet) in the Subject field. For Type of Certificate Needed, select Server Authentication or Computer, depending on which one appears. You can leave the other settings at their defaults.

After requesting the certificate from your Web server, log on to your CA and approve the request, which you'll find in the Pending Requests folder in the Microsoft Management Console (MMC) Certification Authority snap-in. Back at your Web server, browse to your CA again and click the View the status of a pending certificate request link. On the resulting page, you'll see the Web server's new certificate. When you install the certificate, install it in the computer's certificate store (not in your own certificate store) under PersonalCertificates.

Browse again to your CA's /certsrv page. This time, click Download a CA certificate, certificate chain, or CRL, click the Download CA Certificate link, and save the certificate to your Web server in a folder under Inetpub so that it will be accessible to Web-site users. Next, create a link in an appropriate place on your Web site so that users can install your CA's self-signed certificate as a trusted CA. Finally, configure IIS to use your Web server's new certificate (not the CA's self-signed certificate).

Now, when users browse to https://yourserver.com, they'll see a warning that your Web server is presenting a certificate signed by an untrusted CA. Instruct the users to let the Web page load proceed. After users log in to your site, have them click the link to your CA's certificate and let IE install the certificate in the Trusted Root Certification Authority store. Thereafter, users should no longer see the warning.

A word of caution: Keep the system your CA resides on secure. If you don't plan to issue new certificates in the near future, it's a good idea to disable the Certificate Services service.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like