Create a certificate with a certificate signing request
A certificate signing request (CSR) includes information needed to create a subordinate Certificate Authority (CA) within an Active Directory domain.
Teams must create the CSR in Advanced Server Access and sign it with an Active Directory domain. Teams can then upload the signed certificate to Advanced Server Access and associate the certificate with one or more Active Directory connections. Some of the following steps can differ depending on your specific Active Directory environment.
Before you begin
- Install Active Directory Certificate Services as a root CA for the domain. See Install the Certification Authority.
Start this task
- Create a CSR in Advanced Server Access.
- Open the Advanced Server Access dashboard.
- In the user menu, click Team Settings.
- Go to the Passwordless Certificates tab.
- Click Create > Certificate Signing Request.
- In the Create Certificate Signing Request window, configure the certificate settings.
- Click Create Certificate Signing Request.
Your device downloads the CSR. Move this file to an Active Directory domain controller.
- Create a certificate template on an Active Directory Certificate Services (CS) server.
- Open the Certification Authority.
- Right-click Certificate Templates and select Manage. The Certificate Templates Console window opens.
- Right-click Subordinate Certification Authority and select Duplicate Template. A properties window opens.
- In the General tab, under Template Display Name, enter ADPasswordless.
- In the Extensions tab, select Application Policy and then click Edit. The Edit Application Policies Extension window opens.
- Click Add. The Add Application Policy window opens.
- Select Smart Card Logon and Client Authentication, then click OK.
- In the Edit Application Policies Extension window, click OK.
- Issue a certificate.
- Return to the Certification Authority.
- Right-click Certificate Templates and go to New > Certificate Template to Issue.
- From the Enable Certificate Templates window, select the certificate template you created and click OK.
- Open a command prompt as an administrator.
- Go to the directory where you stored the CSR and enter the following command:
certreq -attrib "CertificateTemplate:ADPasswordless" -submit "YOUR_TEAM_CSR" "YOUR_SAVED_CERT"
- From the confirmation window, select the related CA and click OK.
The Active Directory CS service issues a certificate and saves a certificate file with Base-64 encoding.
- Import the certificate to the Trusted Root Certification Authorities store.
- Double-click the issued certificate.
- From the certificate window, click Install Certificate.
- From the Certificate Import Wizard window, click Next.
- Select Place all certificates in the following store and click Browse.
- From the browse window, select Trusted Root Certification Authorities and click OK.
- Click Next.
- Review the information and click Finish.
Active Directory imports the certificate.
- Import the certificate into Active Directory.
- In a command prompt, go to the directory where you stored the certificate.
- Add the certificate to the registry.
certutil -enterprise -addstore NTAuth SIGNED_CERT.crt
Optional. This step is for troubleshooting purposes only.
View the NTAuth store.
certutil -enterprise -viewstore NTAuth
Remove a certificate from the NTAuth store.
certutil -enterprise -viewdelstore NTAuth
- Upload the signed certificate to Advanced Server Access.
- Return to the Passwordless Certificates tab in Advanced Server Access dashboard.
- Identify the created certificate record.
- Click > Upload certificate.
- In the Upload Certificate window, click Browse files.
- In the file explorer window, locate the issued certificate file.
- In the Upload Certificate window, click Upload.
After you upload the certificate, Advanced Server Access checks the validity of the certificate file. If the certificate is valid, teams can add the certificate to new or existing Active Directory connections. Teams must still distribute the certificate to domain controllers and member servers using a group policy.