Home > IIS, Windows > Configuring Non-Domain Windows IIS Servers to Use an Enterprise Certificate Authority

Configuring Non-Domain Windows IIS Servers to Use an Enterprise Certificate Authority

In this post I will discuss how Windows IIS servers that are not part of a domain can make use of certificates issued by a certificate authority (CA).  In my example the certificates will be signed and issued by an enterprise CA that is a member of my Active Directory domain.  All of the servers run Windows Server 2008 R2.

Exporting the Certificate Authority Root Certificate

Since we want to trust this CA from a non-domain member server we’ll need to manually export the root certificate for this CA to a file.  On the CA server click Start and type CMD in the search and press Enter.  Now at the command prompt type:

C:\> certutil -ca.cert ca_name.cer

The root CA certificate is now exported to the file “ca_name.cer”.

Importing the CA Root Certificate

Copy the file you created above exporting the CA certificate to the non-domain server.

Now over on your non-domain server, click Start, type MMC and press Enter.

Select File from the menu, then choose Add/Remove Snap-in.

Highlight Certificates on the left, click Add so it appears on the right, then click OK.

Choose “Computer account”, then click Finish.

Back at Add or Remove Snap-ins click OK.

Now back at the MMC under Certificates (Local Computer), open Trusted Root Certification Authority.  Right click the Certificates sub-folder, go to All Tasks > Import.

At the certificate import wizard click Next.  Then at the “File to Import” select the certificate file that you exported earlier and click Next.

Accept the default selection to place the certificates in the Trusted Root store, click Next.

The root certificate for your enterprise CA should now appear in your Trusted Root folder.

Pages: 1 2

Categories: IIS, Windows Tags: ,
  1. Peter
    October 26, 2011 at 10:35 am

    nice doc.

    Just one question i do not understand: When I give the common name how can I give the FQDN if my server is not a doamin member?

    thx Peter

  2. Olivier
    November 8, 2011 at 4:55 pm

    Thanks for posting,helped me a lot.
    Actually, I’m able to reach my IIS from a non-domain laptop ussing SSL…when no client certificate is required. If I require a client certificate, I’ll get a 403.7…
    As mentioned at the end of your post, I installed the server’s root certificate on my laptop but it doesn’t help.
    Any advise?



  3. February 13, 2012 at 3:17 pm

    (Create and Submit a request to this CA), I’ve used this function in the past to request my server certificates, it slicker and quicker. Is there a reason for me to do it the long way by using IIS to create the request if I can access my CA via the web?

  1. April 19, 2010 at 11:43 pm
  2. May 25, 2010 at 12:31 am
  3. November 22, 2011 at 9:12 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: