Generate a certificate from an internal certificate authority

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 3분

    • When you configure Microsoft Active Directory for SSL access, you must generate an internal certificate and request the external certificate.

    시작하기 전에

    Role required: admin

    이 태스크 정보

    These steps apply to Microsoft CA services. If you have a different internal CA platform, see your local CA administrator for assistance.

    프로시저

    1. From the domain controller (DC) you want to create a certificate for, browse to http://localhost/certsrv or specify the CA server name if it is on a remote server.
    2. From the Welcome page, click Request a certificate and select advanced certificate request.
    3. On the Advanced Certificate Request page, select Create and submit a request to this CA.
    4. Complete the Advanced Certificate Request as follows:
      표 1. Advanced Certificate Request fields
      Field Entry
      Name The fully qualified domain name (FQDN) of the DC that is requesting the certificate.
      E-Mail The email address of the person responsible for the certificate.
      Company Your company name.
      Key Options settings
      Create new key set Select it.
      CSR Microsoft RSA SChannel Cryptographic Provider.
      Key Usage Exchange.
      Key Size 1024 is recommended. The instance supports up to 2048.
      Automatic key container name Select it.
      Store certificate in the local computer certificate store Select it.
    5. Click Submit.
      You are directed to a page that provides your Request ID, make note of this ID.
    6. To process the pending request, complete the following:
      1. Open the Certificate Authority management console.
      2. Expand the server node and select Pending Requests.
      3. Locate the Request ID for the request you just submitted, right-click, and select All Tasks/Issue to approve the request and issue the certificate.
    7. To retrieve the issued certificate, complete the following:
      1. From the DC you made the request from, browse to http://localhost/certsrv, or specify the CA server name if it is on a remote server.
      2. Select View the status of a pending certificate request.
      3. Select the link to the new certificate.
      4. Select the link to Install this certificate.

    다음에 수행할 작업

    You need to request a third party certificate. Certificates from external CAs can be purchased for as little as $30 per year. For detailed procedures on requesting a certificate from an external CA, see Microsoft article 321051. After it is received, installed, and tested, follow the export procedure.