Using the web interface to request a new certificate

Sometimes, when requesting a new certificate, you may not have access to query certificate services directly by using a tool such as the MMC snap-in. Maybe you need to request a certificate for a non-Windows device by using a certificate signing request (CSR) that the device has provided. The CA web interface will allow us to do this. By enabling the web services portion of the CA role, we can turn on a website that runs on our CA server. This website can be accessed from inside the corporate network and could potentially even be published on the internet with a reverse proxy solution.

Because of its age and the fact that Microsoft don't seem particularly interested in maintaining the web interface, most of its functionality only works in Internet Explorer. However, Internet Explorer is a defunct web browser that shouldn't be used any more. As such, most of the functionality of the web interface (including this recipe in previous versions of this book) is no longer accessible. However, the most important function – the ability to request a certificate from a CSR – is still functional.

In this recipe, we'll access the web interface that is now running on the CA server where we installed the web services part of the CA role. We will use this website to request and acquire a certificate from a CSR.

Getting ready

Our Enterprise root CA is a Windows Server 2019 server that has the Active Directory Certificate Services role installed. When we installed and configured the role, we made sure to select the option for the web service so that we could make use of it to request a new certificate. We also need a CSR. Generally, a CSR is provided by a device or service that needs a certificate. For the purposes of this example, I have generated a dummy CSR from https://csrgenerator.com/.

How to do it…

We do not have to be logged into the CA server directly to complete this recipe. Here, we are logged into a Windows 10 machine in our environment. From this web server, perform the following steps:

1. Open Internet Explorer and browse to http://<CAServerName>/CertSrv/. In our case, it is http://ca01.ad.cookbook.packt.com/CertSrv/. You should be asked to log in with a username and password – use your domain username and password to log in:
   

   Figure 4.21 – The default home page of the Windows CA web service

2. Click on Request a certificate, and then advanced certificate request.
3. For Base-64-encoded certificate request, paste your CSR. It should begin with the following:

   -----BEGIN CERTIFICATE REQUEST-----

   It should end with the following:

   -----END CERTIFICATE REQUEST-----

4. Under Certificate Template, choose Web Server. Then, click Submit:
   

   Figure 4.22 – An example CSR being submitted to the Certificate Authority

5. On the resulting page, you will be asked to download your new certificate. The format you want (DER or Base 64) will depend on the situation. Generally, the base64-encoded certificate is useful in more situations than the DER certificate.

Now, in your downloads folder, you should have a certificate that contains all the details about your CSR. You can determine that it's the certificate you requested by opening the resulting certnew.cer file that you just downloaded and looking at the different information tabs. You should see that the Issued to option is for your requested domain and that the Issued by option comes from the appropriate CA:

Figure 4.23 – Showing the details of the certificate and that it was issued by our AD CA

How it works…

Running the web service on your CA server can be beneficial because it allows another method of requesting certificates. In this recipe, we were able to quickly open our CA certificate requesting web page and walk through some simple steps. This enabled us to download a new certificate that we are planning to use with our web service.

Because our web server is inside the corporate network, we could have also accomplished this request right from the Certificates MMC console. However, if our web server had been in a different building separated by networking equipment and firewalls, this may not have been an option for us. Or if we were trying to acquire a certificate from another machine that didn't have MMC access for one reason or another, this web service is a nice way to accomplish the same task.