Abstract: In this short how to we will add a https (443) binding to an internal IIS webserver using a certificate generated by an internal Microsoft certification authority (MS CA) as an offline request.
1.) If you are installing the CA on Windows 2012 R2 with a GUI start a Microsoft Management Console (MMC) on the server, otherwise start it on your management computer via:
2.) click on “File” (A) -> “Add/Remove Span-in…” (B)
3.) Select Certificates (A) and add (B) them to the selected snap-ins
4.) In the new dialog select “Computer account” (A) and press next (B)
5.) If you run the MMC on the server where you have installed the CA on select “Local Computer” (A) otherwise choose (B) and specify the computer name. After that press finish (C).
6.) When the snap in is added (red box) press OK (A).
6.) Open the Personal -> Certificates store (A). Then choose “All Tasks” (B) -> Advanced Options (C) -> Create Custom Request (D)
7.) Press next to start the enrollment
8.) Make sure that the AD certification authority is detected. Press next here.
9.) Choose the Web Server template (this might be the default one or one you created). After that press next.
10.) Now click on properties.
11.) Now choose the subject name (select common name and type in the FQND from the server, then press add) and in the alternative name select DNS and enter the FQND and press add. Alternative you can repeat the step with the alternative DNS section and enter an additional name (as seen in the screenshot).
12.) After that choose a folder where you can store the offline request.
12.) Now connect to your internal Microsoft CA, and start the “Submit new request” function.
13.) select the *.req file you created before. If you got a error message about the maximum certificate validity period check the solution here.
14.) After the *.req is proceeded by the CA you are prompted to save the certificate.
15.) Now go back to the MMC connected to the computer where you need the certificate on. Expand the personal Certificates (A), then choose All Tasks (B) and click on Import (C).
16.) Select the cer file you saved and click on next
17.) Change the certificate store if needed and press on next
18.) Complete the certificate import wizard and click next for that.
19.) Now open the IIS Management on the server (or or use the remote IIS Manager as explained here) and go to the IIS site where you wish to use the certificate and click on edit bindings on the action pane on the right side.
20.) Click on add (A) then select https (B), then select the certificate you created (C), then press D, then press E