Request, Issue and Install a server-side certificate – Windows 2003 server/IIS6

Written by stevey on September 6th, 2011

To use client certificates for authentication, first need to install a server-side certificate. The steps here were what I took to Request, Issue and Installed a server-side certificate for certificate auhtentication with Microsoft certificate Services and IIS6 in Windows 2003 environment:

  1. IIS6->Websites->Default website (at this point, verify the CertSrv is shown in as a Virtual directory under this site) – > Right click on Default website node and selected Properties ->Directory Security ->Server Certificate.
  2. If there is no certificate already installed on the server, click on Create New Certificate; as I already had certificates installed on my local machine, the only options at this point are “Renew the Current certificate”, “Remove the current certificate”,”Replace the current certificate”, “Export the current certificate to a .pfx file”, and “Copy or Move the current certificate to a remove server site”.
  3. For this project, I chose “Renew the current certificate“, and next
  4. Chose “Prepare the request now, but send it later” (default option) and next.
  5. Certificate request file name: leave as default at c:\certreq.txt
  6. Open the c:\certreq.txt file and copied the content to clipboard.The content is a big chunk of mumble-jumble ASCII letters like these: “—–BEGIN NEW CERTIFICATE REQUEST—–MIIDTDCCArUCAQAwcTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAM
  7. Now I went to http://localhost:8080/CertSrv and a page titled Microsoft Certificate Service came up (I had trouble to open this page from http://localhost/CertSrv initially but then realized my default website is not in http://localhost; rather my default website is configured to run from port 8080 instead of the default 80).
  8. Click on Request a certificate and select submit an advanced certificate request on next page
  9. There are two options on next page: “Create and submit a request to this CA.” and
    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. “, selected the second one.
  10. Now paste the content from clipboard to the Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) textarea or I could use the “Browse for a file to insert” feature. Then clicked Submit
  11. If submitted successfully, the next screen said, “Your certificate request has been received. However, you must wait for an administator to issue the certificate you requested..Please return to this web site in a day or two to retrieve your certificate.”
  12. Now I went to the CA MMC (Start – >Administrative Tools -> Certificate Authority) and I saw the request sitting under the “Pending Requests” folder. I right clicked on the request and Issued it (All Tasks -> Issue) and the request moved to Issued Certificates” folder
  13. Next step was to copy certifcate to a .cer file. To do that, double clicked on the Requested certificate to view it, clicked on Details tab and Copy to a file. On “Export File Format” selected the “Base-64 encoded X.509 (.Cer) and saved to “c:\ServerCertificate.cer”
  14. Now I went into IIS6 ->Default website->Properties ->Directory Security -> Server Certificate ->Next – > select “Process the pending request and install the certificate” and opend the “c:\ServerCertificate.cer” file from “Process a Pending reqeust” screen
  15. Next screen asking about “SSL” port, leave it as default 444 and clicked Next, Next and Finish.

To verify that the server-side certificate was installed successfully, I went back to IIS6, picked a virtual directory, for example, “WcfSecure” and open “Properties” window->Directory Security->Edit (Under Secure Communication) and checked “Required secure channel (SSL), and for client certificates, selected “Accept client certificates” for now; then I browsed to a .svc file without https, such as http://localhost:8080/WcfSecured/Demo.svc; at this point I got browser error message asking me to add https to the address; so I changed to https://localhost:8080/WcfSecured/Demo.svc (or can be demo.aspx or demo.ashx page), and as expected, now the page showed correctly. That confirmed that the server-side certificate had been installed correctly. Next is to request and issue a client certificate so we can authenticate WCF Service client.


1 Comments so far ↓

  1. My brother recommended I might like this blog. He was totally right. This post actually made my day. You can not imagine simply how much time I had spent for this info! Thanks!

Leave a Comment