You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer), and another for computers running the Self-Service or Helpdesk Site (client computers).
When obtaining certificates, make sure that:
-
The server computer can be accessed from the client computers by using the server certificate CN.
-
Both is selected as a key usage in a certificate request.
-
Enable strong private key protection option is NOT selected in a certificate request.
The following is a sample procedure describing how to obtain a certificate through the Windows 2012 Certificate Services Web interface.
IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run a supported web browser.
When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk Site and use the Application Pool Identity account to run a supported web browser.
To request a certificate using Windows 2012 Certificate Services Web Interface
-
Use a browser to open https://servername/certsrv, where servername refers to the name of the web server running Windows Server 2012 where the certification authority that you want to access is located.
-
On the Welcome page, click Request a certificate.
-
On the Request a Certificate page, click Advanced Certificate Request.
-
On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.
-
Provide identification information as required. In the Name field, enter the name of the server for which you are requesting a certificate.
-
In Type of Certificate Needed, select Server Authentication Certificate.
-
In Key Options, select Create new key set, and specify the following options:
-
In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.
-
In Key Usage, click Both.
-
In Key Size, set 1024 or more.
-
Select Automatic key container name.
-
Select Mark keys as exportable.
-
Clear Enable strong private key protection.
-
-
In Additional Options, specify the following:
-
In Request Format, select CMC.
-
In Hash Algorithm, select sha256.
-
Do not select the Save request check box.
-
Specify attributes if necessary and a friendly name for your request.
-
-
Click Submit.
-
If you see the Certificate Issued web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to https://servername/certsrv. Then, click View the status of a pending certificate request, and then install the issued certificate.