On this publish discover ways to deploy a standalone root Certificates Authority (CA) on a Home windows Server 2025 machine that isn’t joined to Energetic Listing. Additionally discover ways to configure the online enrollment interface so purchasers can request certificates utilizing a browser.
A standalone root CA is helpful when:
- You solely want certificates trusted by a restricted set of machines.
- You don’t wish to acquire certificates from a industrial supplier.
- You’re making ready an offline root CA state of affairs (coated individually).
Set up Energetic Listing Certificates Companies (Standalone Root CA)
1. Open Server Supervisor.
2. Choose Handle then Add Roles and Options.
3. Select Function-based or feature-based set up.
4. Choose the native server.
5. Verify Energetic Listing Certificates Companies.
6. Click on Add Options when prompted.
7. Click on Subsequent by way of the wizard till the **Function Companies** web page.
8. Choose Certification Authority solely.
9. Click on Set up and look ahead to completion.
Configure the Certification Authority
1. In Server Supervisor, click on the notification flag.
2. Choose Configure Energetic Listing Certificates Companies.
3. Enter credentials.
4. On Function Companies, guarantee Certification Authority is chosen.
5. For Setup Sort, choose Standalone CA.
6. Select Root CA on the CA Sort web page.
7. Choose Create a brand new personal key.
8. Improve the important thing size to 4096 and settle for the opposite defaults.
9. Settle for the default CA identify (or customise if desired).
10. Maintain the default certificates validity interval (5 years).
11. Settle for the default database areas.
12. Verify the configuration and permit it to finish.
13. Open the Certification Authority console from Instruments to confirm the CA was created.
Create an SSL Certificates for Net Enrollment
The CA certificates itself doesn’t embrace topic various names (SANs), so that you want a separate SSL certificates for the web site in any other case internet enrollment will throw errors.
1. Open PowerShell and change to the foundation listing.
2. Create and enter a temp folder.
3. Use Notepad to create servercert.inf with particulars similar to:
[Version]
Signature="$Home windows NT$"[NewRequest]
Topic="CN=ws25-sa-ca"
KeyLength=2048
KeySpec=1
KeyUsage=0xA0
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Supplier"
RequestType=PKCS10
FriendlyName="IIS Server Cert"[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication[Extensions]
2.5.29.17 = "{textual content}"
_continue_ = "dns=ws25-sa-ca"
; Add extra if wanted, e.g., _continue_ = "& " for added DNS names
4. Save the file.
5. Run certreq -new specifying the INF file and output a .req file.
certreq -new C:tempservercert.inf C:tempservercert.req
6. Submit the request:
* Run `certreq -submit` with the request file.
certreq -submit -attrib "CertificateTemplate:WebServer" C:tempservercert.req C:tempservercert.cer
* Choose the standalone CA when prompted.
* The request will present as **Pending**.
7. Open the Certification Authority console.
8. Below Pending Requests, right-click the request and choose All Duties → Concern.
9. Retrieve the certificates:
* Use `certreq -retrieve` with the request ID and output a `.cer` file.
certreq -retrieve 2 C:tempservercert_issued.cer
10. Set up the issued certificates with `certreq -accept` or by double-clicking.
certreq -accept C:tempservercert_issued.cer
Set up the Net Enrollment Function
1. Open Add Roles and Options once more in Server Supervisor.
2. Click on Subsequent till the Server Roles web page.
3. Broaden Energetic Listing Certificates Companies.
4. Choose Certification Authority Net Enrollment.
5. Click on Subsequent and proceed. This additionally installs IIS robotically.
6. When completed, click on Shut.
7. Run Configure Energetic Listing Certificates Companies once more.
8. Choose Certification Authority Net Enrollment and click on Configure.
Bind the SSL Certificates in IIS
1. Open IIS Supervisor.
2. Choose Default Net Web site.
3. Within the Actions pane, select Bindings.
4. Click on Add.
5. Set Sort to https.
6. Enter the server’s hostname.
7. Choose the SSL certificates you issued earlier (e.g., `IIS serviceert`).
8. Click on OK and shut IIS Supervisor.
Entry the Net Enrollment Web page
1. Open a browser.
2. Navigate to:
`https://
Instance:
`https://WS25-SA-CA/certsrv`
3. The Certificates Enrollment internet interface ought to now load securely.
