Simplify SSL Setup for Webservers with a Windows CA

Mike BeckerMike Becker
2 min read

Table of contents

Mission Objective

Secure web servers with SSL certs from a Windows Certificate Authority. Automate issuance and renewal. Neutralize manual config overhead.

Gear Check

  • Windows CA: Enterprise CA operational, root trusted.

  • Web Server: Windows-based (IIS), domain-joined.

  • PowerShell: Admin rights, CertPS module (Install-Module CertificatePS).

  • Permissions: CA template access for requesting certs.

The Play

Request and bind the cert with this PowerShell strike:

# Define CSR Properties
$CSRProps = @{
    Subject         = "CN=webserver.domain.com"
    KeyLength       = 2048
    KeyAlgorithm    = "RSA"
    HashAlgorithm   = "SHA256"
    FriendlyName    = "WebServerCert"
    NotAfter        = (Get-Date).AddYears(2)
}

# Generate CSR and Request Cert
$CSR = New-CertificateRequest @CSRProps
$Cert = Submit-CertificateRequest -CSR $CSR -CA "CA-Server.domain.com\CA-Name" -Template "WebServerCustom"

# Install Cert to Local Store
Import-Certificate -FilePath $Cert.FilePath -CertStoreLocation "Cert:\LocalMachine\My"

# Bind to IIS
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol https
$CertThumbprint = (Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.FriendlyName -eq "WebServerCert"}).Thumbprint
New-Item -Path "IIS:\SslBindings\0.0.0.0!443" -Value $CertThumbprint

Execution

  • Step 1—Template Config: On the CA server, open Certificate Templates MMC (certtmpl.msc). Duplicate “Web Server” template, name it WebServerCustom. Set: Subject Name = Supplied in Request, Key Usage = Digital Signature + Key Encipherment, Application Policies = Server Authentication. Enable “Allow private key to be exported.” Publish to CA (certsvr.msc, right-click Certificate Templates, New, select WebServerCustom).

  • Step 2—Prep: Install CertificatePS (Install-Module CertificatePS). Confirm CA and web server are domain-joined.

  • Step 3—Deploy: Run the script—update webserver.domain.com and CA-Server.domain.com\CA-Name for your targets. Script requests, installs, and binds in one pass.

  • Step 4—Lock: Restart IIS (iisreset) to seal the deal.

  • Verify: Hit https://webserver.domain.com—no cert errors.

Mission Value

Windows CA pumps out trusted SSL certs via a custom template, PowerShell slams through request-to-binding. No third-party fees, no manual slog—web servers secured, ops lean.

Field Notes

CSR rejected? Check template perms or CA name (Get-CACAuthorityInformation). Binding off? Verify thumbprint or IIS site name. Auto-renew option: Script Get-Certificate on a schedule. Intel—I’m on station.

0
Subscribe to my newsletter

Read articles from Mike Becker directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Certificate Authoritywebserverwindows serverPowershell

Written by

Mike Becker
Mike Becker