SSL Configuration with AD Certificate Services

This guide will help you issue an SSL certificate for your ActivityInfo server via Active Directory Certificate Services (AD CS). This guide assumes the following:

  • You have installed Active Directory Certificate Services on your Domain Controller
  • You are logged into your Domain Controller
  • You have created a Certificate Authority (CA) that is trusted by all computers on your domain

For more information on AD CS, please see the following resources from Microsoft:

You will need to complete the following steps:

  1. Configure a template
  2. Assign a template to a CA
  3. Request and enroll a new SSL certificate for ActivityInfo
  4. Export the SSL certificate to a .PFX file
  5. Import the .PFX file to ActivityInfo

Configure a template

  1. In the Certificate Templates snap-in, right-click the Web Server template and select Duplicate.
  2. On the Security tab, click Add.
  3. Click Object Types, check Computers, and then click Ok.
  4. Enter "Domain Controller".
  5. Click Check Names and then lick OK.
  6. With Domain Controllers selected, check read, enroll, and auto-enroll permissions.
  7. On the Request Handling tab, check the Allow private key to be exported box.
  8. On the General tab, update the template display name to SSL Certificate Template or similar.
  9. Click OK to save the new template.

Assign a template to a CA

  1. Under Certification Authority (Local), expand the node with the CA name.
  2. Click to select the Certificate Templates container (under the CA name, not the Certificate Templates snap-in).
  3. Right click the container and select New, and then Certificate Template to Issue.
  4. Select SSL Certificate Template and click OK.

Request and enroll a new SSL certificate for ActivityInfo

  1. Open the MMC window and add the Certificates snap-in for the local Computer account.
  2. Right-click the Personal node and choose All Tasks -> Request New Certificate.
  3. Click Next twice to get to the Request certificates page. Your can see the template you created in the previous step.
  4. Click the More information is required... link.
  5. Under Subject name, under Type, select Common name.
  6. Enter your ActivityInfo host name, for example "activityinfo.example.gov" and then click Add.
  7. Under Alternative name, under Type, select DNS.
  8. Using the same process, add a subject alternative name of type DNS for your ActivityInfo host name, for example, “activityinfo.example.gov” (the same name you added above).
  9. Click the Private Key tab.
  10. Under Key options, ensure the Make private key exportable option is checked and click OK.
  11. Back on the Request Certificates wizard page, ensure the checkbox for the template is checked and click Enroll.
  12. You can now see the certificate you requested and enrolled in the Personal store in the Certificates snap-in.

Export the SSL certificate to a .PFX file

  1. In the Certificates snap-in for the Local Machine, click the Personal store.
  2. Double-click the SSL certificate you used for your federation service.
  3. On the Details tab, click Copy to file and then click Next in the wizard.
  4. Ensure .pfx is selected, Include all certificates in the certification path if possible and Export all extended properties are checked and then click Next.
  5. Select Password, enter a password, and then click Next.
  6. Select a file location and name, click Next, and then click Finish.

Import the .PFX file to ActivityInfo

  1. Open the ActivityInfo Server and navigate to Server Settings.
  2. Click the "SSL Certificate" section.
  3. Click "Import certificate"
Screenshot
Screenshot
  1. Then browse for the .PFX file you exported along with the password from the previous step.
Screenshot
Screenshot
  1. Click import.
Next item
Strict Transport Security