Issuing Extended Validation (EV) certificates from an Internal Windows CA
OK boys and girls, is time for some fun using certificates issued by an internal Windows CA. As you can read in the title we are going to issue EV (Extended validation) certificates from our internal CA. Yes it can be done with Windows Server 2008 R2. Using EV certificates on your web sites does not mean an increase of security, but sometimes is just so cool to have that green bar in IE.
To be able to keep up with the practice you need a Domain Controller, a Web server, and a client. If you don’t have the client is OK, you can test from the Domain Controller, but I want to make it as real as possible. Servers are all running Windows 2008 R2, and the client is running Windows 7. On the Domain Controller I’ve already installed the Active Directory Certificate Services role as Enterprise Root Certification Authority, and the Web server along with the client are joined to the domain. You need to have at least Internet Explorer 8 for this to work. Now that we have our lab in place, let’s start working, or for some of us…let’s have fun.
Starting with 2018 when Google enforced the so called Certificate Transparency into their browser and then followed by the rest of the browser vendors, Extended Validation will not work anymore as discussed in this article. There will be no more green bar, since now all the browsers need to check if the certificate -public or private- its part of the Certificate Transparency log.
Open Certificates Templates mmc using Start > Run > certtmpl.msc. Search for the Web server template, right-click on it and choose Duplicate Template.
Here you can either use Windows Server 2003 Enterprise, to create version two certificates, or the second option to create a version three certificate. We are going with the second option, so check the radio button Windows Server 2008 Enterprise and click OK.
Type a name for the certificate and a validity period if you want to change the default one.
Go to the Extensions tab, and here click on the Issuance Policies extension, then hit the Edit button.
Since we don’t have any Issuance Policy we need to add one by clicking the Add button.
As you can see there are some default Issuance Policies already present, but we need to create a new one for our EV certificate to work. Click the New button.
Give the new Issuance Policy a name, and optional you can type a CPS location. CPS comes from Certificate Practice Statement and is a document that describes the organization’s security policy. At the end we have the OID (Object Identifier) which is very important; copy the OID because we need it later. Click OK when you’re done.
On the Add Issuance Policy window make sure that the new policy is selected, and click OK.
Now on the Issuance Policy description you should have something similar to mine.
Go to the Security tab, because we need to set the right permissions for the Web server to be able to request this type of certificate. Click the Add button.
On the object name list type the name of your Web server. Be sure on the Object Types the Computer object is selected.
Once the server is in the ACL (Access Control List) check the box to allow enrollment. Click OK to create the certificate.
Now we need to bind this template to the Certificate Templates on the Enterprise CA. Go to Administrative Tools > Certification Authority expand your Root CA, right-click Certificate Templates and choose New > Certificate Template to Issue.
From the list select the certificate we just created and click OK.
Before we continue, we need to export the root certificate; is needed for the next section. Right click your Enterprise Root CA and choose Properties.
On the General tab click View Certificate.
Once the certificate opens, go to the Details tab and hit the Copy to File button. Follow to wizard using the default settings and save the certificate somewhere on your local hard drive.
Now we need to create a domain policy so all the clients in the domain know about the new OID. Once the policy is created navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Right click the folder and choose Import.
Follow the wizard and select the certificate we exported a few seconds ago. Now right-click the certificate and choose Properties.
Go to the Extended Validation tab, and in the Add OID box paste the OID I told you to copy when we created the Issuance Policy. Once you paste the OID click the Add OID button then OK.
Now you can either wait between 90 and 120 minutes for the new policy to be processed by all the clients in the domain, or force the clients to process the new policy. Since I have a small environment I will force the clients by issuing the gpupdate /force command. On the Web server open the Certificates MMC console then right-click the Personal folder and choose All Tasks > Request New Certificate.
On the Request Certificate screen on the wizard click the Details arrow of the EV Certificate then hit the Properties button, because we need to provide more information so the enrollment will succeed. If you don’t see your certificate here is because you did not add the Web server computer to the Security ACL on the certificate template.
Here the most important option is the Common Name option. Once selected type the FQDN that clients will use to connect to the web site. You will have to add Organization and Country too. Click OK when you are done. If you are wondering why I typed www.vkernel.local instead of the name server, is because I created a CNAME record in my DNS zone that points to the Web server, so my client don’t have to memorize the name of the server.
In the Certificate Enroll wizard click the Enroll button.
Once the certificate is installed you can see its properties. It has a private key and the Issuance Policy name we created.
Let’s test the certificate to see if we can get a green bar in IE. Install the certificate on your web site and from a client (domain client) type the FQDN address present in the Common Name of the certificate. And hooray, it works. We did a pretty good job here.
Want content like this delivered right to your
8 thoughts on “Issuing Extended Validation (EV) certificates from an Internal Windows CA”
I followed your instructions, and when I enroll I receive “STATUS: Request denied” “The certificate has invalid policy.” “Error constructing or publishing certificate Invalid Issuance Policies” “CERT_E_INVALID_POLICY”
In the EV cert template, the CA/web server was given Enroll permission. The Domain Admins and Enterprise Admins have Enroll permission.
The OID was copied and pasted into my Root CA certificate, which is in my Trusted Certificate Authorities in my GPO. The CA/web server had the old root CA cert deleted and a gpupdate /force to update the root CA cert.
There is something miss-configured on the Issuing CA or the certificate template is not supported. You will have to take a look in the Event Log for more details.
Take a look here and here maybe it gives you more insight.
I am not getting the green bar
Yes, if you are not using IE you are not going to anymore because Google implemented a new standard in certificates called Certificate Transparency. You can read more about this just by running a small search on Google. The bad part is that you cannot do anything about it.
I followed all steps and my page now shows green bar but it says UNKNOWN [?]:
CA has identified this site as:
Something missing? i generated csr with all parameters as OU, C, O, L and CN
Usually this happens when the EV extension is not working. Did you IE address bar turned green?
Hi and thanks for your weblog
Can issuing EV Certificate in standalone root CA?
Never tried this scenario so I can’t say for sure. I don;t see a reason why you will use a standalone root CA to issue EV certificates. It just complicates thing to much.