Issuing Certificates Via the MMC Snap-in

 

There are two major advantages to using an enterprise CA over a standalone CA:

 

• The CA certificate of the enterprise CA is automatically entered into the Trusted Root Certification Authorities node in the machine certificate store for all domain member computers
• You can use the Certificates standalone MMC snap-in to request a machine certificate from the enterprise CA and have the certificate immediately issued and installed on the client

 

Requesting a certificate from the Certificates MMC is especially useful when you need to issue a Web site certificate to one of your Exchange Server services, or when you need to assign a machine certificate to the ISA Server firewall so that it can create L2TP/IPSec connection and create SSL connections between its internal interface and a published SSL Web site.

 

Perform the following steps to request a certificate from an enterprise CA from a machine that belongs to the same domain as the enterprise CA:

 

1. Click Start and click the Run command. Type mmc in the open text box and click OK.
2. In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command.

 

Figure 1

 

3. In the Add/Remove Snap-in dialog box, click the Add button.

 

Figure 2

 

 

4. In the Add Standalone Snap-in dialog box, click on the Certificates snap-in and click the Add button.

 

Figure 3

 

5. Select the Computer account option on the Certificates snap-in page. Its very important that you select the computer account option because the certificate must be assigned to the machine account (computer account). Click Next.

 

Figure 4

 

6. On the Select Computer page, select the Local computer option. Click Finish.

 

Figure 5

 

7. Click the Close button in the Add Standalone Snap-in  dialog box, then click on the OK button in the Add/Remove Snap-in dialog box.
8. In the Console1 console, right click on the Personal node in the left pane, point to All Tasks and click on the Request New Certificate command.

 

Figure 6

 

9. Click Next on the Welcome to the Certificate Request Wizard page of the Certificate Request Wizard.

 

Figure 7

 

10. You can see the certificate types available on the Certificate Types page. Note that in this example that the only certificate type available is the Computer certificate. Click on the Computer certificate and click Next.

 

Figure 8

 

11. On the Certificate Friendly Name and Description page, type in a Friendly name for the certificate and type in a Description for the purpose of the certificate. The friendly name and the description have no effect on the functioning of the certificate but they do help identify the reason you requested and installed the certificate. Click Next.

 

Figure 9

 

12. Review your settings on the Completing the Certificate Request Wizard page and click Finish.

 

Figure 10

 

13. Click OK in the Certificate Request Wizard dialog box that informs you that the certificate request was successful.

 

Figure 11

 

14. A new node, the Certificates\Personal\Certificates node appears in the left pane of the Console. You can see the machine certificate in the right pane of the console.

 

Figure 12