Certificate Services in a Non-Active Directory Environment: Installation and Issuing Certificates (272555)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q272555

IN THIS TASK

SUMMARY

This step-by-step article describes how to install and configure a Certificate Server in a non-Active Directory environment. It includes step-by-step instructions for installing the server and client certificates.

back to the top

Install the Certificate Server

To install a Certificate Server on your Windows 2000 server:
  1. Click Start, point to Settings and then click Control Panel.
  2. In Control Panel, double-click Add/Remove Programs.
  3. Click Add/Remove Windows Components to start the Windows Component Wizard.
  4. In the Windows Component Wizard, click to select theCertificate Services check box.
  5. Click Yes to confirm that this computer can no longer be renamed and cannot change domain membership.
  6. Click Next.
  7. Click Remote administration mode, and then click Next.
  8. Click Stand-alone root CA, and then click Next.
  9. Type the CA name for your organization, type any additional information you may require, and then click Next.
  10. Click Next.
  11. Click OK to stop the Internet Information services.
    Note You may be prompted for your Windows 2000 CD-ROM.
  12. When the Windows Components Wizard has completed, click Finish.
back to the top

Create an MMC Snap-in to Administer the Certificate Server

To add the Microsoft Management Console (MMC) snap-in to administer Certificate Services:
  1. Click Start, and then click Run.
  2. In the Open box, type MMC, and then press ENTER.
  3. On the Console menu, click Add/Remove Snap-in.
  4. Click Add.
  5. In the Add Standalone Snap-in dialog box, click Certification Authority, and then click Add.
  6. Click Local computer, and then click Finish.
  7. Click Close.
  8. Click OK.
  9. Click Console, and then click Save As.
  10. Type a name, and then click Save.
back to the top

Create a Certificate Request for an IIS Web Site

To request a Web site certificate from the Certificate Services Server:
  1. Start Internet Services Manager.
  2. Double-click your IIS Server.
  3. Right-click the Web site where you want to install the certificate, and then click Properties.
  4. Click Directory Security.
  5. Click Server Certificate to start the Web Server Certificate Wizard.
  6. Click Next.
  7. Click Create a new certificate, and then click Next.
  8. Click Next.
  9. Type a name for the certificate, and then click Next.
  10. Type your organization name and organizational unit, and then click Next.
  11. In the Common name box, type a name for your site by using your computer DNS or NetBIOS name, and then click Next.
  12. Complete the Geographical Information page, and then click Next.
  13. Leave the default name for the certificate request, note the name and location of this file, and then click Next.
  14. Click Next.
  15. Click Finish.
  16. Click OK.
back to the top

Submit the Certificate Request Using Certificate Services

To submit the certificate request that you created in the previous procedure you must submit it to Certificate Services. Certificate Services then issues a certificate that you can install on your Web site. To do this:
  1. Start Microsoft Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName is the name of your Certificate Services server.
  2. Click Request a Certificate, and then click Next.
  3. Click Advanced Request, and then click Next.
  4. Click Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file, and then click Next.
  5. Put the contents of the certificate request file that you created in the previous procedure on the Submit A Saved Requests page. Only put the text that appears between the following two lines: 
    -----BEGIN NEW CERTIFICATE REQUEST-----
    
-----END NEW CERTIFICATE REQUEST-----

    Note Do not include the BEGIN and END lines. Only use the text that appears between them.
  6. Click Submit.
  7. The Certificate Pending page appears and states: Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. Please return to this web site in a day or two to retrieve your certificate.

    Note: You must return with this web browser within 10 days to retrieve your certificate

    Your certificate request has been submitted.
back to the top

Approve the Certificate Request

To approve the certificate request, you must manually approve the request by using the Certificate Services MMC that you previously created:
  1. Start the Certificate Services console that you created in the "Create an MMC Snap-in to Administer the Certificate Server" section of this article.
  2. Double-click Certification Authority (local), and then double-click your server.
  3. In the right pane, double-click Pending Requests.
  4. In the right pane, right-click the request, point to All Tasks, and then click Issue.
back to the top

Download and Install the Certificate

To install the approved certificate, you must first download it from Certificate Services and then install it on your computer:
  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName is the name of your Certificate Services server.
  2. Click Check on pending certificate, and then click Next.
  3. Click the request you submitted, and then click Next.
  4. Click Download CA certificate.
  5. In the File Download dialog box, click Save this file to disk, and then click OK.
  6. Specify the location to save the file, and then click Save.
  7. Click Open.
  8. In the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.
  9. Click Next.
  10. Click Automatically select the certificate store based on the type of certificate, and then click Next
  11. Click Finish.
  12. Click OK to confirm the import.
  13. Click OK.
back to the top

Request a Client Certificate

To request a client certificate:
  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName is the name of your Certificate Services server.
  2. Click Request a Certificate, and then click Next.
  3. Click Web Browser Certificate, and then click Next.
  4. Complete the Identifying Information boxes, and then click Submit.
    Note Required fields can be determined by the Certificate Services administrator.
  5. The Certificate Pending page appears and states: Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. Please return to this web site in a day or two to retrieve your certificate.

    Note: You must return with this web browser within 10 days to retrieve your certificate

    Your certificate request has been submitted.
back to the top

Approve the Client Certificate

To approve the client certificate request:
  1. Start the Certificate Services console that you created in the "Create an MMC Snap-in to Administer the Certificate Server" section of this article.
  2. Double-click Certification Authority (local), and then double-click your server.
  3. In the right pane, double-click Pending Requests.
  4. In the right pane, right-click the request, point to All Tasks, and then click Issue.
back to the top

Install the Certificate on the Client Computer

To install the client certificate:
  1. Start Internet Explorer, and then locate the following URL

    http://CertificateServerComputerName/certsrv

    where CertificateServerComputerName is the name of your Certificate Services server.
  2. Click Check on pending certificate, and then click Next.
  3. Click the request that you submitted, and then click Next.
  4. Click Install this certificate.
  5. The Certificate Installed page appears and states: Your new certificate has been successfully installed.
back to the top

REFERENCES

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

228836 Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

324069 HOW TO: Set Up an HTTPS Service in IIS

back to the top
Modification Type:MajorLast Reviewed:2/26/2003
Keywords:kbhowto kbHOWTOmaster KB272555
©2002 Microsoft Corporation. All rights reserved.