Introduction

I had my intranet site selfsigned before. But the problem with self signing is that the user gets a warning.

And of course we all click continue and then you get this.

Which makes the addressbar totally useless because gray on pink is not very readable.

So I set out to fix it. And here is my story.

Installation

You should install the Active directory certificate services. Go to technet to learn how to do that for your server, I did.

This should apparently be installed on your domain controller. And yes I tried on a member server and no that was no success, so just listen to me.

IIS

Now go to you IIS manager and click on your server and find the option Server certificates.

Then in the Actions menu select Create Domain certificate.

You will then see this.

Be careful to fill in the correct common name, the common name should be the domain name of your website. The part that comes after the https:// part and before the next /.

Then next.

Then pick your authority service, if all went well that should be the one you installed on your domain controller.

And give it a friendly name.

Now go to your site and click on Bindings in the Actions thing.

Select https as the type and set the port and select your certificate by its friendly name.

The clients

Now it’s time to configure our clients.

Since we are on a domain controller we can use a group policy for that.

First we need to get the certificate.

Now open MMC on your webserver and add certificates for your computer account on your local machine.

Then go to personal and certificates. Right-click on your certificate and select export.

Remeber where you parked it and copy it to your domain controller.

Now open the Group policy manager.

Click on your Default Domain Policy.

Go to Computer configuration -> Policies -> Windows settings -> Security settings -> Public key policies -> Trusted Root Certification Authorities -> Take a deep breath.

Now right click that and select import.

Select your certificate that you exported a while ago and wait for the clients to replicate.

Done.

Now you get this.

No, it’s not fully trusted but it no longer gives a warning either.

And Chris is happy.

Conclusion

This is here for my own reference.