Share via


Request a computer certificate for server authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To request a computer certificate for server authentication

Submit an advanced certificate request for a computer certificate by using the Web

Submit a computer certificate request by using the Certificate Request Wizard

Submit an advanced certificate request for a computer certificate by using the Web

  1. Open Internet Explorer.

  2. In Internet Explorer, connect to https://servername/certsrv, where servername is the name of the Web server that is running Windows Server 2003 and where the certification authority (CA) that you want to access is located.

  3. Click Request a certificate.

  4. Click Advanced certificate request.

  5. Click Create and submit a certificate request to this CA.

  6. Provide identifying information as required.

  7. In the Name box, type the name of the terminal server for which you are requesting the certificate.

  8. In Type of Certificate needed, click Server Authentication Certificate.

  9. In Key Options, click Create a new key set, and then specify additional options as follows:

    • In Cryptographic service provider (CSP), click Microsoft RSA SChannel Cryptographic Provider. This CSP supports key derivation for the SSL2, PCT1, SSL3, and TLS1 protocols.

    • In Key usage, click Exchange. Exchange means that the private key can be used to enable the exchange of sensitive information.

    • Select the Mark Keys as exportable check box. Doing this saves the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

  10. Select the Store certificate in the local computer certificate store check box.

    Important

    • This check box must be selected for TLS authentication to function.
  11. Click Submit.

  12. If you see the Certificate Issued Web page, click Install this certificate. For instructions on how to retrieve a CA certificate from a Windows Server 2003 CA, see Related Topics.

  13. If you are finished using the Certificate Services Web pages, close Internet Explorer.

Notes

  • To request a certificate, a subject must have Read and Enroll permissions on the certificate template.

  • To open Internet Explorer, click Start, point to All Programs, and then click Internet Explorer.

  • This procedure is for obtaining certificates from a Windows Server 2003 CA. For instructions on how to obtain certificates by using the Windows 2000 Certificate Services Web pages, see Related Topics. Alternatively, you can purchase a certificate from a non-Microsoft vendor and install the certificate manually.

  • Use this procedure if you need to request the following certificates:

    • Certificates that are issued from a stand-alone CA.

    • Certificates that are based on a template configured to obtain the subject name from the subject.

    • Certificate types that require approval before the certificates are issued.

  • You can use the second procedure in this topic, "Submit a computer certificate request by using the Certificate Request Wizard," if the certificates meet the following requirements:

    • The certificates are issued from an enterprise CA.

    • The certificates are based on templates where the subject name is generated by Windows.

    • The certificate type does not require approval before the certificates are issued.

  • For a client to make a connection to the terminal server, the client must trust the root of the server’s certificate. The client computers must have the certificate of the root CA that issued the server certificate in their Trusted Root Certification Authorities store, which you can view in the Certificates snap-in.

Submit a computer certificate request by using the Certificate Request Wizard

  1. If you are submitting a computer certificate request for the local terminal server, open Certificates (Local Computer) If you are submitting a computer certificate request for a remote terminal server, open Certificates (Servername).

  2. In the console tree, click one of the following:

    • Certificates (Local Computer) (for the local terminal server)

    • Certificates (Servername) (for a remote terminal server).

  3. If you are not in Certificate Purpose view mode, on the View menu, click Options, click Certificate Purpose, and then click OK.

  4. In the details pane, under Intended Purposes, double-click Server Authentication.

  5. On the Action menu, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.

  6. On the Certificate Types page, click Server Authentication, and then select the Advanced check box.

  7. On the Cryptographic Service Provider page, click Microsoft RSA SChannel Cryptographic Provider. This CSP supports key derivation for the SSL2, PCT1, SSL3, and TLS1 protocols. '

  8. Select the key length. It is recommended that you use a key length of 1024 bits (the default setting) or higher.

  9. Select the Mark Keys as exportable check box. Doing this enables you to save the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

  10. Specify whether to enable strong private key protection.

  11. On the Certification authority page, if more than one CA is available, click Browse, and then click the name of the CA that will issue the certificate.

  12. On the Certificate Friendly Name and Description page, type a friendly name for the new certificate.

  13. On the wizard completion page, click Finish.

Notes

  • To request a certificate, a subject must have Read and Enroll permissions on the certificate template.

  • To open Certificates for a computer account, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, navigate to the console file that you want to open, and then click Open. In the console tree, click the Certificates snap-in that contains the computer account you want.

  • If you have not already created an MMC console that contains Certificates, see Related Topics for instructions on managing certificates for a computer.

  • This procedure is for obtaining certificates from a Windows Server 2003 CA. However, you can also use the Windows Certificate Request Wizard to obtain certificates from a Windows 2000 CA, or you can purchase a certificate from a non-Microsoft vendor and install the certificate manually.

  • To use this procedure to request certificates, the certificates must meet the following requirements:

    • The certificates are issued from an enterprise CA.

    • The certificates are based on templates where the subject name is generated by Windows.

    • The certificate type does not require approval before the certificates are issued.

  • Use the first procedure in the topic, "Submit an advanced certificate request for a computer certificate via the Web," if you need to request the following certificates:

    • Certificates that are issued from a stand-alone CA.

    • Certificates that are based on a template configured to obtain the subject name from the subject.

    • The certificate type requires approval before the certificates are issued.

  • For a client to make a connection to the terminal server, the client must trust the root of the server’s certificate. The client computers must have the certificate of the root CA that issued the server certificate in their Trusted Root Certification Authorities store, which you can view in the Certificates snap-in.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Manage certificates for a computer
Requesting certificates
Retrieve a certification authority certificate from a Windows Server 2003 CA
Use Windows 2000 Certificate Services Web Pages
Configuring Terminal Services with Group Policy
Configuring Terminal Services with TSCC