πŸ” Issuing SSL Certificates to Internal Web Servers (IIS/Exchange) Using AD CS

Posted on by

Hey there! So far, I’ve covered everything from installing AD CS to configuring auto-enrollment. Now it’s time to put those certificates to good useβ€”let’s issue SSL certificates for internal web servers like IIS and Exchange Server.

Whether I’m setting up HTTPS for an intranet site or securing OWA/ECP for Exchange, using internal certificates via AD CS saves cost and simplifies trust within the domain.

🧠 Why Use AD CS for SSL?

  • βœ… Cost-effective – No need to buy public certs for internal names
  • βœ… Trusted by all domain clients (thanks to auto-published root CA)
  • βœ… βœ… Easy to manage with certificate templates

🧰 Prerequisites

Before I begin, here’s what I make sure is ready:

  • βœ”οΈ Web server is domain-joined
  • βœ”οΈ A published Web Server certificate template
  • βœ”οΈ CA is up and running
  • βœ”οΈ Required ports (like 443) are open
  • βœ”οΈ IIS or Exchange roles installed

πŸ“„ Step 1: Create and Publish the Web Server Template

  1. On the CA, open Certificate Templates Console
  2. Right-click Web Server β†’ Duplicate Template
  3. Use a name like: Corp Web SSL
  4. In the General tab:
    • Validity: 2 or 3 years
  5. In the Request Handling tab:
    • Purpose: Signature
    • Allow private key export (optional)
  6. In the Subject Name tab:
    • Select: Supply in the request (important for manual enrollment)
  7. In the Security tab:
    • Add the server/computer account or a security group
    • Grant Enroll permissions

Save and close.

  1. Go to CA Console β†’ Right-click Certificate Templates β†’ New β†’ Certificate Template to Issue
  2. Select Corp Web SSL

βœ… The template is now published.

πŸ–₯️ Step 2: Request the Certificate (Manual Enrollment)

On the target server (e.g., IIS or Exchange):

Option 1: MMC Method (GUI)

  1. Run mmc.exe
  2. Add the Certificates snap-in for Computer Account
  3. Navigate to: Personal β†’ Certificates
  4. Right-click β†’ All Tasks β†’ Request New Certificate
  5. Select the MAHARJAN Web SSL template
  6. Click More Information is required to enroll
  7. Enter Common Name (e.g., web.internal.local)
    • Add SANs if needed (Subject Alternative Names)
  8. Complete the enrollment

Option 2: PowerShell (Advanced)

Here’s a sample script I use to generate a cert with SANs:

$san = "dns=web.internal.local&dns=autodiscover.internal.local"
$csrParams = @{
    Subject = "CN=web.internal.local"
    Template = "MAHARJAN Web SSL"
    MachineContext = $true
    CertStoreLocation = "Cert:\LocalMachine\My"
    TextExtension = @("2.5.29.17={text}$san")
}
Get-Certificate @csrParams

🌐 Step 3: Bind the SSL Certificate in IIS

  1. Open IIS Manager
  2. Select your website
  3. Click Bindings β†’ Add β†’ Choose:
    • Type: https
    • Port: 443
    • SSL Certificate: Choose the one you just enrolled
  4. Click OK and restart IIS

For Exchange Server, use the Exchange Admin Center or PowerShell to assign the cert to services like IIS and SMTP.

πŸ” Step 4: Verify the Certificate

From a domain-joined client:

  • Open browser β†’ Browse to https://web.internal.local
  • You should see a valid HTTPS connection
  • Click the padlock β†’ View certificate β†’ Check:
    • Issued by your Enterprise CA
    • Correct CN/SAN
    • Proper validity period

πŸ§ͺ Pro Tips

  • βœ”οΈ Use SANs for services like Exchange (autodiscover, mail, etc.)
  • πŸ” Certificates must be renewed before expiry (autoenrollment can be configured for servers too)
  • πŸ” Don’t forget to backup the private key if needed for use on load balancers or reverse proxies

🧭 What’s Next?

Next, I’ll explain how to configure Certificate Revocation, CRLs, and OCSP, which are essential for certificate trust and health in an enterprise.

Leave a Reply

Your email address will not be published. Required fields are marked *