How to Request a Certificate From Windows ADCS?

Source: thesecmaster.com

A Certificate is one of the obvious things when it comes to identity verification of a user, machine, server, service, application, and many things in the digital world. The ideal process to get a digital certificate is: CSR (Create a Certificate Signing Request), Submit the CSR to a CA (Certificate Authority), and Download the certificate after the CA issues your CSR. We have covered the first part, which is creating a CSR, in another article. In this article, we are going to cover how to request a certificate from Windows ADCS. You can request a certificate from any other Certificate Authorities as well. However, we are using (Microsoft’s Active Directory Certificate Service) for demonstration purposes. The idea behind the process remains the same.

Table of Contents
· What Is Microsoft ADCS (Active Directory Certificate Service)?
· To Request a Certificate From Windows ADCS:
  ∘ 1. Generate A CSR;
  ∘ 2. Request a New Certificate From ADCS:
  ∘ 3. Check the Status of the Pending Certificate Request:
  ∘ 4. Download a CA Certificate, Certificate Chain or CRL:

What Is Microsoft ADCS (Active Directory Certificate Service)?

Microsoft Active Directory Certificate service is a CA (Certificate Authority) used to issue certificates to meet the internal certificate needs for secure communication.

Users can request a certificate for the Web browser, e-mail client, Remote Desktop Connections, and any applications or services from ADCS. You can request a certificate for pretty much anything. ADCS supports all standard and custom templates to issue certificates.

To Request a Certificate From Windows ADCS:

There are four major tasks that a user has to perform from his end with respect to getting the certificate.

1. Generate a CSR.
2. Requesting a new certificate.
3. Check the status of the pending certificate request.
4. Download the certificate, certificate chain, or CRL.

1. Generate A CSR;

Follow the procedure written in the article to create a custom CSR: Step-by-step procedure to create a custom CSR on a Windows Server!

2. Request a New Certificate From ADCS:

1. Browse the CA page in the browser: https://yourcaserver/certsrv
2. You will see a welcome page as like here:
3. Select “Request a Certificate”

Welcome page of the Microsoft Certificate Authority to request a certificate

4. You will be able to request a certificate either way mentioned below:

Requesting a certificate in Microsoft CA

Can create and submit a new certificate with the available templates
Certificate Authority has some pre-defined templates in which the certificates can be requested. Use this option only in case the requirement can be met with the available template if you are not sure about the certificate request process from the application end. Go for the next option, that is:

Can submit a request by using base-64-encoded CMC/PKCS#10 file
This option is best suited for a more enhanced and accurate certificate request with all details belonging to the application or the system. The user should generate the certificate request from the application or the system with the necessary details and need to submit the base-64-encoded data using this option.

We suggest using this option for all application-related certificates as it contains all the required fields that need to be mentioned in the issued certificate.

5. Select the option “Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base64-encoded PKCS#7 file”

Paste the base-64 encoded certificate request (CSR) in the space provided. Select ‘Webserver Compatibility Certificate’ as Certificate Template. Leave the Attribute field blank. Click on ‘Submit’.

Submitting a certificate request with CSR and Template details

After successful submission of the certificate request, note down the “Request ID”. Ask the CA administrator to issue the certificate.

Certificate request submitted successfully

3. Check the Status of the Pending Certificate Request:

1. Browse the CA page in the browser: https://yourcaserver/certsrv
2. You will see a welcome page as like here:

Welcome page of the Microsoft CA to view the status of pending CA request

3. Select ‘View the status of a pending certificate request.’ You will see the status of the requests below. Select the certificate request you want to check the status of,

List of pending certificates to approve

The certificate, which is pending approval by the CA administrator

4. If the certificate is issued, it will be displayed as follows.

Approved certificate to download

5. Select ‘Base 64 encoded’ and click on ‘Download Certificate’ to download the requested certificate.

6. Select ‘Base 64 encoded’ and click on ‘Download certificate chain’ to download the certificate along with intermediary and root certificates.

4. Download a CA Certificate, Certificate Chain or CRL:

The certificate or CRL for your application-related requirement can be downloaded from the option on the home page as well.

1. Browse the CA page in the browser: https://yourcaserver/certsrv

Welcome page of the Microsoft CA to download the certificate

Select the “Download a CA certificate, Certificate Chain or CRL” option and select the required certificate to download.

List of options to download a CA certificate, Certificate Chain or CRL

This completes the process of requesting a certificate from Windows ADCS and downloading the certificate along with chain certificates.

This post is originally published at thesecmaster.com.

We thank everybody who has been supporting our work and request you check out thesecmaster.com for more such articles.