Generate a web server certificate signed by Microsoft Certificate Authority

Use openssl to generate a certificate request, Microsoft Certificate Authority to sign the request, Apache to use the certificate

Published on

These instructions can be used to generate a certificate for a web server. The certificate is signed by a Microsoft Certificate Authority from an Active Directory domain. The signed certificate can be used by any web server.

The example data is:

  • web server name: www.example.local
  • certificate name: example_web_cert
  • server that host the Certificate Authority: caserver.example.local
  • name of the Certificate Authority: example-CA
  • name of the certificate template: WebServer

Generate a private key and a certificate request

openssl req -new -sha256 -newkey rsa:2048 -noenc \
    -subj '/CN=www.example.local' \
    -addext 'subjectAltName = DNS:www.example.local' \
    -keyout example_web_cert.key -out example_web_cert.csr

man openssl req gives more information about the parameters but this may be enough:

  • -subj is used to give the subject attribute on command line avoiding the dialog about the name
  • the subjectAltName certificate extension is added with -addext
  • -sha256 is the digest to use when signing the request. To see the list of supported digest algorithms use openssl list -digest-algorithms
  • rsa:2048 is the type and size of private key
  • -noenc is used to not encrypt the private key

To verify the certificate request use:

openssl req -in example_web_cert.csr -text -verify -noout

Note: you can add the server’s IP address to the subjectAltName. Example: DNS:www.example.local,IP:192.168.1.28

Sign the request

Copy the certificate request to a domain joined Windows machine and start a command prompt / powershell as a user with the right to enroll the web server certificate ! - see the Note 2

certreq -submit -attrib "CertificateTemplate:WebServer" -config "caserver.example.local\example-CA" example_web_cert.csr example_web_cert.crt

If everything is OK you should get an answer like this:

RequestId: 12345
RequestId: "12345"
Certificate retrieved(Issued) Issued

Note 1: the name of the template may not be WebServer or someone might have configured additional templates for web servers. Start the Certificate Authority console to check available templates, add new ones or manage them.

Note 2: certreq submit must be launched from a user account with Enroll right for the WebServer template. Start the Certificate Authority console to check the permissions for the template you want to use.

Copy the signed certificate in a common location

The signed certificate and its private key should be put in a location accessible to your web server (Apache, Nginx, …) and protected from unwanted access. Example:

sudo cp example_web_cert.crt /etc/ssl/certs/
sudo chmod 400 /etc/ssl/certs/example_web_cert.crt
sudo cp example_web_cert.key /etc/ssl/private/
sudo chmod 400 /etc/ssl/private/example_web_cert.key

Example: add the certificate to Apache web server

For Apache, in a <VirtualHost>, add:

    SSLEngine on
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLCertificateFile /etc/ssl/certs/example_web_cert.crt
    SSLCertificateKeyFile /etc/ssl/private/example_web_cert.key

Do not forget to activate the SSL engine, test the new configuration and load it:

sudo a2enmod ssl
apachectl configtest
sudo systemctl reload apache2

Note: to access the web server by its name, make sure the DNS is properly configured.

The root CA certificate

If the certificate authority’s root certificate is not trusted in your system, it’s certificate can be installed with:

root_ca_cert_name='example-CA.crt'
if ! command -v update-ca-certificates >/dev/null 2>&1; then
    sudo apt -y install ca-certificates
fi
sudo cp "$root_ca_cert_name" /usr/local/share/ca-certificates
sudo update-ca-certificates