Create a certificate using a certificate signing request

A certificate Signing Request (CSR) includes information needed to create a subordinate Certificate Authority (CA) within an Active Directory (AD) domain.

Teams must create the CSR in Advanced Server Access and sign it with an AD domain. Teams can then upload the signed certificate to Advanced Server Access and associate the certificate with one or more AD connections. Some of the following steps can differ depending on your specific Active Directory environment.

Before you begin

Start this task

  1. Create a CSR in Advanced Server Access.
    1. Open the Advanced Server Access dashboard.
    2. In the user menu, click Team Settings.
    3. Go to the Passwordless Certificates tab. 
    4. Click Create > Certificate Signing Request.
    5. In the Create Certificate Signing Request window, configure the certificate settings.
    6. Click Create Certificate Signing Request.
      Your device downloads the CSR. Move this file to an AD domain controller.
  2. Create a certificate template on an AD Certificate Services (CS) server. 
    1. Open the Certification Authority.
    2. Right-click Certificate Templates and select Manage. The Certificate Templates Console window opens.
    3. Right-click Subordinate Certification Authority and select Duplicate Template. A properties window opens.
    4. In the General tab, under Template Display Name, enter ADPasswordless.
    5. In the Extensions tab, select Application Policy and then click Edit. The Edit Application Policies Extension window opens.
    6. Click Add. The Add Application Policy window opens.
    7. Select Smart Card Logon and Client Authentication, then click OK.
    8. In the Edit Application Policies Extension window, click OK.
  3. Issue a certificate. 
     Note: Adjust the following commands to use the name of your CSR.
    1. Return to the Certification Authority.
    2. Right-click Certificate Templates and go to New > Certificate Template to Issue.
    3. From the Enable Certificate Templates window, select the certificate template you created and click OK.
    4. Open a command prompt as an administrator.
    5. Navigate to the directory where you stored the CSR and enter the following command:
      certreq -attrib "CertificateTemplate:ADPasswordless" -submit "YOUR_TEAM_CSR" "YOUR_SAVED_CERT"
    6. From the confirmation window, select the related CA and click OK.
      The AD CS service issues a certificate and saves a certificate file with Base-64 encoding.
  4. Import the certificate to the Trusted Root Certification Authorities store.
    1. Double-click the issued certificate.
    2. From the certificate window, click Install Certificate.
    3. From the Certificate Import Wizard window, click Next
    4. Select Place all certificates in the following store and click Browse.
    5. From the browse window, select Trusted Root Certification Authorities and click OK.
    6. Click Next
    7. Review the information and click Finish.
      AD imports the certificate.
  5. Import the certificate into AD.
    Note: Adjust the following commands to use the name of the saved certificate file.
    1. Return to the command prompt and navigate to the directory where you saved the certificate.
    2. Publish the certificate to the DS Enterprise store with the following command:
      certutil -dspublish -f YOUR_SAVED_CERT NTAuthCA
  6. Upload the signed certificate to Advanced Server Access.
    1. Return to the Passwordless Certificates tab in Advanced Server Access dashboard.
    2. Identify the created certificate record.
    3. Click gear icon > Upload certificate.
    4. In the Upload Certificate window, click Browse files.
    5. In the file explorer window, locate the issued certificate file.
    6. In the Upload Certificate window, click Upload.

After you upload the certificate, Advanced Server Access checks the validity of the certificate file. If the certificate is valid, teams can add the certificate to new or existing AD connections. Teams must still distribute the certificate to domain controllers and member servers using a group policy.

Next Steps