Once we have successfully created and issued our certificate on the CA server, we will then have to test it on the client computers to make sure it works properly.
Click here to read the previous part of Windows Server 2019 Free Training .
Request a Certificate through MMC Console
We have created our new certificate template and successfully integrated it into the CA console and have it formally ready for release. Now is the time to test the pattern. Log in to one of the regular client computers. There are two standard ways to apply for a new certification through client computers. The first is to use the good old MMC console.
Run the MMC client from your computer, select Add / Remove Snap-in from the File menu, and select Certificate. When you select certificates from the list of available Snap-ins and click on the Add button, there are a number of additional options that allow you to select the certificate you want to open.
You can choose from the open certificates for the User Account, Service Account or Computer Account. Since we are looking to test the new certificate template we have created and have also been able to successfully publish it within the CA console, we are therefore ready to use it officially.
We’re also going to test the new certificate we’ve created and ready to use on the same client computer, so select the Computer account and click Finish.
On the next page, click Finish again to select the default option which is Local computer. This will store the local machine-based certificate inside the MMC. In newer operating systems like Windows 8 and 10, as well as Windows Server 2012, 2012R2, 2016 and 2019, there is an MSC shortcut to directly open the certificate store for the local computer.
If you type in the CERTLM.MSC command in the Run dialog, MMC will automatically execute the required Snap-in and open it.
This is the place to go when installing certificates on a computer or server. Inside the Certificate Store, there is a special place that allows you to install your certificate into the Personal folder.
It is true that you can install a machine certificate at the location where we installed it or install an SSL certificate on a web server, but the PC personal directory is the right place to install any type of certificate. If you click on this folder, you’ll see that we haven’t listed anything at this time:
To submit a new certificate request to our CA server, right-click on the Personal folder and then on All Tasks and finally Request New Certificate…. Let’s go.
In the wizard that opens, click the Next button once.
You now see a screen that looks like something needs to be done, in most cases we send a certificate request to a business partner or a member of a machine in the domain, so we don’t have much work to do on this page. So click on the Next button. This will query the Active Directory query wizard and show all available certificate templates that are ready for release:
The Request Certificate page appears, listing the available templates available. This is a dynamic directory and its contents depend on the computer you are logged in to as well as user permissions. You remember when I created the new certificate template I went to the security tab and set it up.
In the tab we defined who and what can get the new certificate template. If we have defined a specific group of domain computers, it is likely that the new DirectAccess Machine pattern will not appear in the list above.
since I have defined this template in a way that all the computers on the domain receive it, I can see my certificate here.
If you don’t see your new template in this list, click the Show all templates checkbox. This will give you a complete list of all the templates available on the CA server that provide an explanation for each, as well as for certificates that are not available, an explanation of the reason for the inaccessibility.
Next to any of the certificates you need, check and click Enroll. The console is now rotating for a few seconds, as the CA server is processing your request to issue a new certificate that your computer needs, along with the relevant criteria contained in the certificate.
Upon completion of the process, you will see our new car certificate now in Personal | The certificate is located inside the MMC. If you double-click the certificate, you’ll be able to check the properties to make sure the settings you want are included in the certificate:
Request a certificate through the web interface
We often use MMCs to request certificates, but there is another platform that you can use to apply for certification. Of course, applying the above solution depends on how the CA server is built. When we installed the AD CS role, we made sure that both the Certification Authority and Certification Authority Web Enrollment options were selected.
The second option is important and we will continue to explore it.
Without the role of Web Enrollment, we do not have a web interface to run our CA server and therefore the above section will not be available to us. If the CA server lacks the above role, you should go to Server Manager and add the existing role to it:
When the Certification Authority Web Enrollment is installed on the CA server, a website runs on your server that you access through a web browser from within your network. Having this website is especially useful when you want users to request a certificate through the web interface.
It is best for your users to provide documentation or tutorials so they can follow the certification process through the website instead of following the MMC console.
if you want to allow computers that are not within your CA server network to request a certificate, this is difficult for them via MMC.
For example, if you have a home user who has to apply for a new certificate but does not have a full VPN tunnel, it is likely that the MMC console will not be able to connect to the CA server and receive the certificate.
But since we have the Certificate Registration feature on the website, you can allow your users to connect to the site and submit a certificate request from anywhere using a reverse proxy or firewall to keep traffic safe.
We need to re-use the client computer to access and test this website. This time, instead of simply opening MMC, I simply open the browser and enter the https: // <CASERVER> / certsrv address into the browser. In my example, the exact site address is https: // CA1 / certsrv :
Our URL starts with the HTTPS protocol. This website is set up to use the HTTPS protocol instead of the HTTP protocol to allow the website to issue certificates.
Certification is not possible via HTTP because this information is sent to the client in clear, non-encrypted manner.
When a website uses HTTPS on the CA server, you will ensure that the certificate issued is encrypted when sending.
Clicking on Request will display a certificate link that will allow you to request a new certificate from the CA server. When you have users who intend to obtain a certificate through the web interface, you are typically issuing user-based certification, in which case we have a very easy way to automatically obtain computer-level certificates without having to interact with To have a user export.
Since we want our users to log in first and then request a new User Certificate, on the next page we need to select the link:
If you are not interested in the user certificate
and would like to use the web interface to obtain a machine certificate,
a web server certificate or any other certificate,
click on the advanced certificate request link
and follow the instructions on the view page instead of clicking the link above.
Clicking on the link above and pressing the Submit button will get the certificate from the CA server and will show you a link that you can use to install the certificate.
Click on the link.
This will install the certificate created for you on your computer. You can see in the image below that the website responds to my request and declares that the certificate has been successfully installed.
You also see that I have opened the current user certificate inside MMC to make sure the certificate really exists: