Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

System Admins

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    activex bios buffer overflow diskspace esxi 4 hackers iis iso files ltd malware oracle patches powershell security service pack software developer spyware stats tablet pc virtual lab virtualization virtualization technology virus vista vmware windows 7 windows 8 windows server 2003 windows server 2008 r2 worm

    Authors

    Main Categories

    Search

    XML Feeds

    What is RSS?

    Google Ads

    « All new ChocolateyGUIDeveloper, can do new tricks, require good home »
    0
    comments

    Making your own Local root CA and using it as an SSL certificate for intranet websites.

    by Christiaan Baes (chrissie1) on Feb 06, 2013 in categories Windows, 2008 Server
    Instapaper

    Introduction

    I had my intranet site selfsigned before. But the problem with self signing is that the user gets a warning.

    And of course we all click continue and then you get this.
    Which makes the addressbar totally useless because gray on pink is not very readable.

    So I set out to fix it. And here is my story.

    Installation

    You should install the Active directory certificate services. Go to technet to learn how to do that for your server, I did.
    This should apparently be installed on your domain controller. And yes I tried on a member server and no that was no success, so just listen to me.

    IIS

    Now go to you IIS manager and click on your server and find the option Server certificates.

    Then in the Actions menu select Create Domain certificate.

    You will then see this.

    Be careful to fill in the correct common name, the common name should be the domain name of your website. The part that comes after the https:// part and before the next /.

    Then next.

    Then pick your authority service, if all went well that should be the one you installed on your domain controller.
    And give it a friendly name.

    Now go to your site and click on Bindings in the Actions thing.

    Select https as the type and set the port and select your certificate by its friendly name.

    The clients

    Now it's time to configure our clients.

    Since we are on a domain controller we can use a group policy for that.

    First we need to get the certificate.

    Now open MMC on your webserver and add certificates for your computer account on your local machine.

    Then go to personal and certificates. Right-click on your certificate and select export.

    Remeber where you parked it and copy it to your domain controller.

    Now open the Group policy manager.

    Click on your Default Domain Policy.

    Go to Computer configuration -> Policies -> Windows settings -> Security settings -> Public key policies -> Trusted Root Certification Authorities -> Take a deep breath.

    Now right click that and select import.

    Select your certificate that you exported a while ago and wait for the clients to replicate.

    Done.

    Now you get this.

    No, it's not fully trusted but it no longer gives a warning either.

    And Chris is happy.

    Conclusion

    This is here for my own reference.

    About the Author

    User bio imageChris is awesome.
    Social SitingsTwitterHomePageLTD RSS Feed
    2272 views
    Read More Posts by Christiaan Baes (chrissie1)
    certificate, iis, ssl
    InstapaperVote on HN

    No feedback yet

    Leave a comment


    Your email address will not be revealed on this site.

    To mislead the spambots.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS