Sign a Certificate with Microsoft CA

Although you can create a self-signed certificate with Firebox System Manager or other tools, you can also create a certificate with the Microsoft Certificate Authority (CA).

For authentication, each certificate signing request (CSR) must be signed by a certificate authority (CA) before it can be used. When you create a certificate with this procedure, you act as the CA and digitally sign your own CSR. For compatibility reasons, however, we recommend that you instead send your CSR to a widely known CA. The root certificates for these organizations are installed by default with most major Internet browsers and Fireboxes, so you do not have to distribute the root certificates yourself.

For HTTPS Proxy or SMTP Proxy content inspection of traffic outbound from your clients to external sites, we recommend you use your internal CA to sign the request because you must create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager and have it signed by a prominent CA, it cannot be used as a CA certificate.

You can use most Windows Server operating systems to complete a CSR and create a certificate.

Send the Certificate Request

  1. In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
    For example:
  2. Click the Request a Certificate link.
  3. Click the Advanced certificate request link.
  4. Click Submit a certificate.
  5. Paste the contents of your CSR file into the Saved Request text box.
  6. For content inspection certificates for outbound traffic, from the Certificate Template drop-down list, select Subordinate Certification Authority.
  7. Click Submit.

Issue the Certificate

This an optional step. You do not need to issue the certificate if your server has web enrollment or auto-enrollment enabled.

  1. Connect to the server where the Certification Authority is installed, if necessary.
  2. Select Start > Control Panel > Administrative Tools > Certification Authority.
  3. In the Certification Authority (Local) tree, select Your Domain Name > Pending Requests.
  4. Select the CSR in the right navigation pane.
  5. In the Action menu, select All Tasks > Issue.
  6. Close the Certification Authority window.

Download the Certificate

  1. In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
  2. Click the View the status of a pending certificate request link.
  3. Select the certificate request with the time and date you submitted.
  4. Select the encoding format for the downloaded certificate, such as Base 64 for a PEM certificate.
  5. Click Download CA certificate to save the certificate.

Certification Authority is distributed with Windows Server as a component. If Certification Authority is not installed in the Administrative Tools folder on your server, follow the instructions from the manufacturer to install it.

Related Topics

About Certificates