Using MMC to request a new certificate_Windows Server 2019 Cookbook-QQ阅读男生轻小说网

书名：Windows Server 2019 Cookbook
作者名：Mark Henderson Jordan Krause
本章字数：728字
更新时间：2021-06-18 18:26:39

Using MMC to request a new certificate

The most common way that I see administrators' interface with the certificates on their systems is through the MMC snap-in tool. MMC is short for Microsoft Management Console, and by using MMC, you can administer just about anything in the operating system. Though this is perhaps a greatly underutilized tool, I only generally see it being opened for a few select tasks. Requesting certificates is one of those tasks.

We are going to use the MMC console on a new server that we have in our network. There is a new certificate template that has been created, and we would like to issue one of these certificates to our new web server.

Getting ready

A Server 2019 Enterprise root CA server is online and running in our network. On it, we have configured a new certificate template called IPsec Certificate. The steps have been taken to publish this template so that it may be requested from computers in our network. We are now working from a brand-new web server that is also running Server 2019 and joined to our domain, where we are going to manually request a certificate from the CA server.

How to do it…

Follow these steps to request a new certificate using the MMC console:

Open the Command Prompt on our new web server and type mmc. Then, press Enter. Alternatively, you can open MMC from the Start screen.
Now, inside the MMC console, click on the File menu, and then on Add/Remove Snap-in….
Choose Certificates from the list of available snap-ins and click on the Add button. This will open a new window with some more choices about the certificates snap-in.
First, we need to choose whether we are opening the user certificate repository or the Computer certificate repository. I don't generally see service accounts being used in the field. What you choose here will depend on what type of certificate you are requesting. For our example, we are looking for an IPsec certificate, which needs to go in the Computer container. Choose Computer account and click Finish:

Figure 4.18 – Selecting the computer account for the certificate manager
Leave the next option set to Local computer and click Finish again. Then, click OK.
There are also MSC launchers that can be utilized to bring you into the certificate stores even faster. You may have an entry in your Start menu called Manage Computer Certificates (although it is not always reliably accessible). Another option is to make use of some direct MSC launches by navigating to Start | Run or the Command Prompt and typing in the following commands:
a.CERTMGR.MSC opens user certificates
b.CERTLM.MSC opens computer certificates
Now, back to the certificate management process:
Inside the main MMC console, expand Certificates (Local Computer) and select the Personal folder. You will see that there are currently no certificates installed here.
Right-click on the Personal folder and navigate to All Tasks | Request New Certificate…:

Figure. 4.19 – Selecting the Request New Certificate… option
Click Next.
On the Select Certificate Enrollment Policy screen, Active Directory Enrollment Policy is automatically selected. Simply click Next again to go to the next screen.
Now, we can see a list of certificate templates that are available to us. Check the boxes for the certificates that you want to request and click Enroll:

Figure 4.20 – Active Directory Enrollment Policy screen

Tip

If you are expecting to see a specific template here but it isn't in the list, click on Show all templates. This will display a list of all templates on the CA server and explain why it is not currently available. This can help for troubleshooting purposes.

How it works…

Utilizing the MMC console is a quick and easy way to request new certificates to be issued manually. In an Active Directory environment, any certificate template on the CA server that you have permissions to enroll will be visible and easy to enroll. This example displayed the enrollment process for a machine certificate that we are planning to use in the future for IPsec authentication. However, there are many cases where you may want to issue user-level certificates, rather than computer certificates. In those cases, you would want to snap in the user account certificates, where, in our example, we defined computer account certificates.