How to request a certificate from Windows ADCS?


A Certificate is one of the obvious things when it comes to identity verification of a user, machine, server, service, application, and many things in the digital world. The ideal process to get a digital certificate is: CSR (Create a Certificate Signing Request), Submit the CSR to a CA (Certificate Authority), Download the certificate after CA issues your CSR. We have covered the first part, which is creating a CSR in another article. In this article, we are going to cover how to request a certificate from Windows ADCS. You can request a certificate from any other Certificate Authorities as well, However, we are using (Microsoft’s Active Directory Certificate Service) for demonstration purpose. The idea behind the process remains the same.

Contents

  • What is Microsoft ADCS (Active Directory Certificate service)?
  • To request a certificate from Windows ADCS:
    • 1. Generate a CSR;
    • 2. Request a new certificate from ADCS:
    • 3. Check the status of the pending certificate request:
    • 4. Download a CA certificate, certificate chain or CRL:

What is Microsoft ADCS (Active Directory Certificate service)?

Microsoft Active Directory Certificate service is a CA (Certificate Authority) used to issue certificates to meet the internal certificate needs for a secure communication.

Users can request a certificate for the Web browser, e-mail client, Remote Desktop Connections, and any applications or services from ADCS. You can request a certificate for pretty much anything. ADCS supports all standard and custom templates to issue certificates.

To request a certificate from Windows ADCS:

There are four major tasks that a user has to perform from his end with respect to get the certificate.

  1. Generate a CSR.
  2. Requesting a new certificate.
  3. Check the status of the pending certificate request.
  4. Download the certificate, certificate chain or CRL.

1. Generate a CSR;

Follow the procedure written in the article to create a custom CSR: Step by step procedure to create a custom CSR on a Windows Server!

2. Request a new certificate from ADCS:

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
  2. You will see a welcome page as like here:
  3. Select “Request a Certificate

4. You will be able to request a certificate either way mentioned below:

Can create and submit a new certificate with the available templates
Certificate Authority has some pre-defined templates in which the certificates can be requested. Use this option only in case if the requirement can be met with the available template if not sure with the certificate request process from the application end. Go for the next option that is:

Can submit a request by using base-64-encoded CMC/PKCS#10 file
This option is best suited for a more enhanced and accurate certificate request with all details belonging to the application or the system. The user should generate the certificate request from the application or the system with the necessary details and need to submit the base-64-encoded data using this option.

We suggest using this option for all application related certificates as it contains all the required fields that need to be mentioned in the issued certificate.

5. Select the option “Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base64-encoded PKCS#7 file

Paste the base-64 encoded certificate request (CSR) at the space provided. Select ‘Webserver Compatibility Certificate’ as Certificate Template. Leave Attribute field blank. Click on ‘Submit’.

After successful submission of certificate request, note down the “Request ID”. Ask the CA administrator to issue the certificate.

3. Check the status of the pending certificate request:

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
  2. You will see a welcome page as like here:
CA Welcome page

3. Select ‘View the status of a pending certificate request’. You will see the status of the requests as below. Select the certificate request you want to check the status of,

4. If the certificate is issued, it will be displayed as follows.

5. Select ‘Base 64 encoded’ and click on ‘Download Certificate’ to download the requested certificate.

6. Select ‘Base 64 encoded’ and click on ‘Download certificate chain’ to download the certificate along with intermediary and root certificates.

4. Download a CA certificate, certificate chain or CRL:

The certificate or CRL for your application related requirement can be downloaded from the option at home page as well.

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
CA Welcome page

S1. elect “Download a CA certificate, Certificate Chain or CRL” option and select the required certificate to download.

This completes the process of requesting a certificate from Windows ADCS and downloading the certificate along with chain certificates.