Skip to content

How to enable “Active Directory Certificate Service” in Windows Server 2008 R2?

May 28, 2013

In this posts I am covering the steps on how to enable “Active Directory Certificate Service” in Windows 2008 R2

1. Open the “Server Manager” and select “Active Directory Certificate Service” in your Domain Controller Server

clip_image002

2. Click Next :

clip_image004

3. Click Next and select the services like in the below screen shot.

clip_image006

4. Here I am selecting Enterprise as my setup type , click next

clip_image008

5. Select “Root CA” and click next.

clip_image010

6. Select “Create a new private key” and click next.

clip_image012

7. Give the names and click next (remember this will be Certificate Authority name)

clip_image014

8. Set the validity period and click next.

clip_image016

9. Configure the certificate database location and click next.

clip_image018

10. Choose a certificate for SSL encryption (use the recommended)

clip_image020

11. Click Next

clip_image022

12. After enabling web server it will automatically select the required services.

clip_image024

13. Now we are done with manual selections, just click Install and it will install the selected roles and services.

clip_image026

Once we are done with the installation we can see the AD Certification service in the server manager.

clip_image027

Once it is done, for the trust to work we must need to take the certificate from the DC and need to import it in the local (SharePoint server where we are trying to add a domain certificate )Certification Authorities (Root) certificate store .

For that first we need to take the certificate from the machine which has the AD certificate Service role enabled. By default it will be located under here: (Extension of the file will be .crt)

C:\WIndows\System32\Certsrv\CertEnroll

Once you got the certificate now you can go ahead and import it in the root certification authorities folder. For that do the following.

1. Start –> run –> type “mmc”

2. It will open a console window, from the file menu select “Add/Remove Snap in”

3. Select the “Certificates” snap in and add it.

clip_image002[7]

4. Once it is done then import the certificate to the “Trusted Root Certification Authorities”

clip_image004[3]

If you didn’t do it then you may get the below error once you try to create a domain certificate in IIS 7.

“A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109”

From → Active Directory

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: