Configuring Non-Domain Windows IIS Servers to Use an Enterprise Certificate Authority
In this post I will discuss how Windows IIS servers that are not part of a domain can make use of certificates issued by a certificate authority (CA). In my example the certificates will be signed and issued by an enterprise CA that is a member of my Active Directory domain. All of the servers run Windows Server 2008 R2.
Exporting the Certificate Authority Root Certificate
Since we want to trust this CA from a non-domain member server we’ll need to manually export the root certificate for this CA to a file. On the CA server click Start and type CMD in the search and press Enter. Now at the command prompt type:
C:\> certutil -ca.cert ca_name.cer
The root CA certificate is now exported to the file “ca_name.cer”.
Importing the CA Root Certificate
Copy the file you created above exporting the CA certificate to the non-domain server.
Now over on your non-domain server, click Start, type MMC and press Enter.
Select File from the menu, then choose Add/Remove Snap-in.
Highlight Certificates on the left, click Add so it appears on the right, then click OK.
Choose “Computer account”, then click Finish.
Back at Add or Remove Snap-ins click OK.
Now back at the MMC under Certificates (Local Computer), open Trusted Root Certification Authority. Right click the Certificates sub-folder, go to All Tasks > Import.
At the certificate import wizard click Next. Then at the “File to Import” select the certificate file that you exported earlier and click Next.
Accept the default selection to place the certificates in the Trusted Root store, click Next.
The root certificate for your enterprise CA should now appear in your Trusted Root folder.
Pages: 1 2