When server certificates are for internal use, you can create a local certification authority (CA) and avoid purchasing a commercial certificate.

To set up a local certification authority

  1. Open Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Double-click Application Server.

  5. Double-click Internet Information Services (IIS).

  6. Double-click World Wide Web Service.

  7. Select Active Server Pages.

  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next on the Windows Components page.

  10. On the CA Type page, choose one of the following, and then click Next:

    • Enterprise root CA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (that are recognized by the domain controller).

    • Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.

  11. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

  12. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

  13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

Note:
This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not need to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure. To allow access to the CA Web site, you must publish it. To limit access to the Web site, you can publish only the specific folders needed from the Web site to a specific set of users, rather than publishing a complete server to all users. For more information about Web publishing, see the Planning for publishing.

To install a server certificate

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and in Select a zone to view or change security settings, click Trusted Sites.

  4. Click the Sites button to open the Trusted sites dialog box.

  5. In Add this website to the zone, provide the name of the certificate server Web site (http://IP address of certification authority server/certsrvname), and then click Add.

  6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.

  7. Browse to:

    http://IP address of certification authority server/certsrv

  8. Request a certificate.

  9. Select Advanced Certificate Request.

  10. Select Create and submit a request to this CA.

  11. Complete the form and select Server Authentication Certificate from the Type drop-down list. To prevent the client from receiving an error message when trying to connect, it is critical that the common name you provide for the certificate matches the published server name, as follows:

    • For server publishing, in common name, type the fully qualified domain name (FQDN) for the server that you are publishing.

      Note:
      For an explanation of the options available on the Advanced Certificate Request page, see Using Windows Server 2003 Certificate Services Web pages (http://www.microsoft.com).
    • For Web publishing, for a certificate on the Forefront TMG computer, type the host name that external clients will type in their Web browser to access the Web site; for example, news.adatum.com.

    • For Web publishing, if you are also installing a server certificate on the Web server in addition to the certificate required on the Forefront TMG computer, the common name must be the host name that the Forefront TMG computer uses to send HTTP request messages to the Web server through the Web publishing rule. This name must be resolvable to the IP address of the Web server and may be the same as the FQDN of the Web server, such as webserver1.adatum.com.

  12. Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

  13. If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.

    1. Click Start, point to All Programs, point to Administrative tools, and then click Certification Authority to open the Microsoft Management Console (MMC) Certification Authority snap-in.

    2. Expand the CA_Name node, where CA_Name is the name of your certification authority.

    3. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.

  14. On the Forefront TMG computer, return to the Web page http://IP address of certification authority server/certsrv, and then click View status of a pending request.

  15. Click your request and choose Install this certificate.

  16. Verify that the server certificate has been properly installed by performing the following steps.

    1. Click Start, click Run, type mmc in the Open text box, and then click OK.

    2. In the Console1 window, click the File menu and then click Add/Remove Snap-in.

    3. In the Add or Remove Snap-in dialog box, select Certificates, and then click Add.

    4. On the Certificates snap-in page, select Computer account, and then click Next.

    5. On the Select Computer page, select Local computer, and then click Finish.

    6. In the Add or Remove Snap-in dialog box, click OK.

    7. In the console tree, expand the Certificates (Local Computer) node, expand Personal, click Certificates, and then double-click the new server certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the certification authority (CA), and a note that says This certificate is OK.

    8. Close the Console1 window.

Note:
This procedure is performed on the computer that requires the digital certificate. In the case of Web publishing, this will be the Forefront TMG computer, at a minimum, and may also include the Web server computer. In the case of server publishing, this will be only the server computer that you are publishing. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.On a Forefront TMG computer, the server certificate obtained from a CA must be stored in the Personal certificate store of the Forefront TMG computer. The root certificate of the CA must be stored in the Trusted Root Certification Authorities store of the Forefront TMG computer.

For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. Follow this procedure on any client computer that requires the root certificate. Note that you can also transfer the root certificate on a medium such as a disk, and then install in on the client computer.

To install a root certificate

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

    Note:
    Certificate installation is not possible when the security setting is set to High.
  4. Browse to:

    http://IP address of certification authority server/certsrv

  5. Click Download a CA Certificate, Certificate Chain, or CRL. On the next page, click Download CA Certificate. This is the root CA certificate that must be installed on the Forefront TMG computer. In the File Download dialog box, click Open.

  6. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

  7. On the Welcome to the Certificate Import Wizard page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next.

  8. On the Completing the Certificate Import Wizard page, review the details, and then click Finish.

  9. Verify that the root certificate was properly installed by performing the following steps.

    1. Open the Microsoft Management Console (MMC) Certificates (local computer) snap-in.

    2. Expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

    Note:
    You can also install certificates on a computer from the MMC Certificates (Local Computer) snap-in. However, this provides access only to certification authorities in the same domain.

Copyright © 2009 by Microsoft Corporation. All rights reserved.