17:14
Gerardo Alvarez
Este procedimiento lo encontre en Internet y funciono de mil maravillas y explica desde como realizar la creacion de la entidad certificadora hasta la exportacion del archivo .pfx que necesitaremos para nuestra aplicacion.
Installing a Certificate for Workgroup AuthenticationThese procedures walk you through the creation of a certification authority (CA) and the installation of the server certificate and root certificate. These certificates are needed for the authentication of a workgroup computer running ISA Server services when it communicates with a Configuration Storage server.
This procedure is based on the use of a stand-alone CA, and describes how to install that CA.
Setting up the certification authority
You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, negating the need to purchase a commercial certificate.
This procedure is performed on a computer running Microsoft Windows Server™ 2003 or Windows® 2000 Server. Because you will install a stand-alone root CA, this can be any computer. If you use Internet Information Services (IIS) in this procedure, we recommend that you not perform this on the Configuration Storage server. We recommend that IIS not run on the Configuration Storage server or on computers running ISA Server services.
This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the IIS and Active Server Pages installations described in this procedure.
To set up the certification authority, follow these steps:
1. Open Control Panel.
2. Double-click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Double-click Application Server.
5. Double-click Internet Information Services (IIS).
6. Double-click World Wide Web Service.
7. Select Active Server Pages.
8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet
Information Services (IIS) dialog box, and then click OK to close the Application Server dialog
box.
9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.
10. On the CA Type page, select Stand-alone root CA, and then click Next. A stand-alone root CA requires that the administrator issue each requested certificate, unless you follow the procedure in Configuring a stand-alone root CA to issue certificates automatically (optional) in this document.
11. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.
12. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.
13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.
Configuring a stand-alone root CA to issue certificates automatically (optional)
You can configure a stand-alone root CA to issue certificates automatically. Follow these steps:
1. From the Start menu, click Run. Type MMC, and then click OK.
2. In MMC, click File, and then click Add/Remove Snap-in.
3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certification Authority, and then click Add.
4. In Certification Authority, select Local computer, and then click Finish. Click Close, and then click OK.
5. Right-click the CAName certificates node, where CAName is the name of your certification authority, and select Properties.
6. On the Policy Module tab, click Properties.
7. On the Request Handling tab, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.
8. Click OK to close the Policy Module properties, and then click OK to close the CA properties.
9. You will receive a message that you must restart Certificate Services. Right-click the name of your CA, point to AllTasks, and select StopService. After the service has stopped, right-click the name of your CA, point to AllTasks, and select StartService.
Obtaining a server certificate
This procedure is performed on any computer that can access the CA computer, or on the CA computer itself. If you perform this procedure on a computer in the same network as the CA computer, you will not have to publish the CA computer to another network or to the Internet. Do not perform this procedure on the computer that will be the Configuration Storage server, because ISA Server Setup uses an exported certificate file to ensure that the certificate is installed in the correct location and associated with the correct service.
After you obtain the certificate, you will export it to a file, which you can then move to the computer that will be the Configuration Storage server. To obtain a server certificate, follow these steps:
1. Open Internet Explorer.
2. From the menu, select Tools, and then select Internet Options.
3. Select the Security tab, and in Select a Web content zone to specify its security settings, click Trusted sites.
4. Click the Sites button to open the Trusted sites dialog box.
5. In Add this Web site to the zone, provide the certificate server Web site name (http://IP address of certification authority server/certsrvname) and click Add.
6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.
7. Browse to: http://IP address of certification authority server/certsrv.
8. Click Request a certificate.
9. Select Advanced Certificate Request.
10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).
11. Under Name, provide a name for the certificate. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the server name. In common name, type the fully qualified host name for the Configuration Storage server on which the certificate will be installed, such as server01.east.fabrikam.com.
12. Complete the form and select Server Authentication Certificate from the Type drop-down list.
13. Select Mark keys as exportable.
14. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.
15. If you installed a stand-alone root CA and did not configure it to automatically issue certificates, perform the following steps on the certification authority computer.
1. From the Start menu, click Run. Type MMC, and then click OK. If you created the certification authority MMC console previously, open that console and skip to step f.
2. In MMC, click File, and then click Add/Remove Snap-in.
3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certification Authority, and then click Add.
4. In Certification Authority, select Local computer, and then click Finish. Click Close, and then click OK.
5. Go to the Microsoft Management Console (MMC) Certification Authority snap-in, (Click Start, point to All Programs, point to Administrative tools, and then select Certification Authority.)
6. Expand the CAName certificates node, where CAName is the name of your certification authority.
7. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.
On the computer where you requested the certificate, return to the Web page http://IP address of certification authority server/certsrv, and then click View status of a pending request.
Click your request and choose Install this certificate.
Exporting the server certificate
ISA Server installation makes use of the exported certificate file (.pfx), so you must export the server certificate. This procedure takes place on the computer on which the certificate was installed.
To export the server certificate, follow these steps:
1. From the Start menu, click Run. Type MMC, and then click OK.
2. In MMC, click File, and then click Add/Remove Snap-in.
3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certificates, and then click Add.
4. In Certificates snap-in, select Computer account, and then click Next. In Select Computer, verify that Local computer (the default) is selected, and then click Finish. Click Close, and then click OK.
5. In the MMC console, expand Certificates (Local Computer), expand Personal, and click Certificates.
6. In the details pane, right-click the certificate you just created (it shows the fully qualified domain name of the Configuration Storage server), point to AllTasks, and select Export.
7. On the Welcome page of the Certificate Export Wizard, click Next.
8. On the Export Private Key page, select Yes, export the private key, and then click Next.
9. On the Export File Format page, select Include all certificates in the certification path if possible, leave the other default settings, and then click Next.
10. On the Password page, you may provide and confirm a password, and then click Next.
11. On the File to Export page, click Browse and browse to a location where you want to store the exported certificate file. This can be a floppy disk, a network share, or any location from which the file can be easily retrieved by ISA Server Setup when Installing the Configuration Storage Server. Click Next.
12. On the summary page, click Finish.
13. Close MMC. Save the console settings with a descriptive name, such as LocalCertificates.
Installing a root certificate(este paso se realiza en el otro servidor ISA servidor secundario)
For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. Follow this procedure on the computer on which you are going to install the ISA Server services array.
1. Open Internet Explorer.
2. From the menu, select Tools, and then select Internet Options.
3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.
Note:
Certificate installation is not possible when the security setting is set to High.
4. Browse to: http://IP address of certification authority server/certsrv.
5. Click Download a CA certificate, certificate chain, or CRL.
6. Click Install this CA certificate chain. Read the warning, and if you want to proceed, click Yes.
Note:
Alternatively, you can select Download CA certificate chain. In the File Download dialog box, click Save and save the file to a known location that you can refer to during the installation of ISA Server services in an array.
7. Verify that the root certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.
Posted in: ISA Server 2006
0 comentarios:
Publicar un comentario