For lab environments or internal web servers, it’s not necessary to use a certificate from a public Certificate Authority. Instead, you can use certificates issued by your own Windows Certificate Authority. All workstations and servers joined to the domain will trust these certificates. If you import the root certificate of the Windows Certificate Authority, standalone servers, workstations, and Linux servers will also trust these certificates.
This blog provides guidance on setting up the Windows Certificate Authority infrastructure and creating new certificates.
To install the Windows CA on a Windows server, you can execute the following PowerShell commands:
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Before running these commands, you must meet the following prerequisites:
The following one-time steps are required before you can create a certificate:
1. Duplicate the web server certificate template, ensuring that the “Allow private key to be exported” option is enabled. This is necessary because the default web server certificate template does not have this option enabled.
2. Export the root certificate of the CA and import it to all standalone workstations and servers that will use the newly created certificate.
These steps are required to create a new certificate:
To properly configure the certificate for a website, it is essential to provide at least the following information for the certificate:
Sometimes, it is necessary to split a certificate in PFX format into its private key and certificate/public key parts. This can be done using OpenSSL. You can download OpenSSL for Windows from https://slproweb.com/products/Win32OpenSSL.html.
Get the file with the private key (open the Win64 OpenSSL command prompt to execute these commands):
openssl pkcs12 -in <file.pfx> -nocerts -nodes -out private.key
Get the file with the certificate and public key:
openssl pkcs12 -in <file.pfx> -nokeys -clcerts -out certificate.pem
With the proper preparation, it is highly feasible to set up a personal Certification Authority in Windows, which allows for easy deployment of certificates for internal services and use within a lab environment. This can provide secure communication at no cost within the internal infrastructure and lab.