Join the DZone community and get the full member experience.

When you work for any software deployment project, you deploy code in multiple environments and test it.  You test the site with HTTP but not in HTTPS. Why? Because you need an additional certificate for it. Getting a certificate for a lower environment could be difficult due to the costing factors, but there is a way by which you can get a wildcard certificate and configure it with your website.

You can implement a PKI solution by using the AD CS Windows Server role. 

PKI (Public Key Infrastructure) is the combination of software, encryption technologies, processes, and services that enables an organization to secure its data, communications, and business transactions. PKI relies on the exchange of digital certificates between authenticated users and trusted resources. You use certificates to secure data and to manage identification credentials from users and computers both within and outside of your organization.

AD CS Windows Server role enables scenarios such as secure wireless network, virtual private network, internet protocol security, network access protection, and encrypting file system.

Today we are going to see how to generate a wildcard certificate. There are two ways: one way is to generate it by using IIS with Internal CA, and another way is to create a wildcard certificate by using MMC with internal CA.  Let's look at these one at a time:

Pre-requisites:

1. AD and DNS servers are pre-installed on Windows server 2012 or later version.

2. AD CS role installed (CA + CA Web Enrollment) on standalone windows server 2012 or later version.

Deployment Step 

1st Method: 

1. Login into the application server, open the IIS console, and click on server certificate under the server name:

2. Create a domain certificate as shown below.

3. Select Certification Authority and give it a friendly name.

4. Validate the certificate.

5. Bind the certificate on your website. Select default website, click on Bind, and then choose type HTTPS and then wildcard certificate which you have created.

6. Make alias entry on DNS server to point to app server where you have installed the certificate. 

7. Now you can browse the site on HTTPS. When you click on the lock icon on the browser, you see the valid certificate issued by the internal CA. 

2nd Method: 

1. Login into the Application server and open the certificates MMC snap-in and add certificate snap-in.

2. Next select a computer account for certificate management and then select the local computer to open the console. 

3. Right-click the Certificates folder, which is found under the personal folder. Select All Tasks > Advanced Options > Create Custom Request:

4. In the Certificate Enrollment Page select Custom Request > Proceed without enrollment policy, and then select Next.

5. In the Custom Request Page select (No template) Legacy key from the drop-down and then select Next.

6. On the Certificate Information Page, expand the Details link, then select the Properties button.

7. On the General tab, complete the Friendly name field and optionally you can add a description for the certificate. Later add info in the subject line like a common name for wildcard certificate (*.sagarcloud.com), OU, Organization, State, Country. 

8. Select the Extensions tab, In Key usage select Digital and Key encipherment.

9. On the Private Key tab set the key size to 4096, select the option "Make private key exportable."

10. Click ok, next, and finish. Save the requested file on a local drive. Now you have created a certificate request.  The next step is to generate the certificate.

11. Login into the CA server and browse your internal CA web enrollment page (http://localhost/certsrv/Default.asp ) and click on request a certificate.

12. Click on advanced certificate request:

13. Open the previously created request file in notepad (refer to step #10) and copy all the data and paste it saved request box. Select web server and click on submit.  

14. Once it is done, it will offer to download the certificate. Select base 64 and download the certificate. Copy the certificate on the client machine where you raised the certificate request. 

15. Connect to the client machine and open MMC. Right-click the Certificates folder in the personal folder store and select import to the certificate.

Once you have performed all the above steps successfully, open the certificate and you should have a valid wildcard certificate.

Let me know your thoughts about this article. If you want to know how to install the AD CS role installed (CA + CA Web Enrollment), comment so that I will share it in the next article.