Step-by-Step Guide to Enabling SQL Server Encryption: Web Enrollment Site Configuration
Apr 13, 2024Edition: Saturday, April 13th, 2024
Last week, we ended after the initial CA configuration. This week, we'll enable HTTPS for our Web Enrollment site. I'll cover an issue I encountered when using the Edge browser to request a user certificate via Web Enrollment and a workaround. Be warned though, that configuring Edge to work with the site has more steps than actually setting up Web Enrollment to use HTTPS.
If you're following along in your sandbox (I hope you are), create a quick snapshot of your virtual machines.
Let's jump in.
Request the computer certificate
To enable HTTPS, we'll first need to generate a certificate that can be used by Internet Information Services. Before we can generate a certificate, used for Server Authentication, we'll need to make sure the Computer certificate template is available.
Open Server Manager, click Tools, and then Certificate Authority.
Next, click Certificate Templates. Make sure "Computer" is listed as an available template.
Next, click start, type certlm.msc. This will open Certificates Local Machine.
Right-click on Personal, click All Tasks and then click Request New Certificate. The Certificate Enrollment wizard will open.
Click Next and then Next again on the "Select Certificate Enrollment Policy" page.
Select Computer and then Enroll.
Click Finish. Next, we'll configure the Web Enrollment site to use the new certificate.
Enable HTTPS for the Web Enrollment Site
Open Internet Information Services.
Right-click on Default Web Site and click Edit Bindings.
Click Add to add a Site Binding. Under Type, select HTTPS. Select the computer certificate you created in the previous step for the SSL certificate.
Click Ok and then close.
Next, click CertSrv and then double-click SSL Settings.
Check Require SSL and apply the change.
Close Internet Information Services Manager.
Verifying Web Enrollment is using HTTPS
Open Microsoft Edge and navigate to the Web Enrollment site. In my case, I'll use https://ca1.homelab.local/certmgr.
You'll notice since the CA is trusted we don't receive an insecure warning in Edge. Click on Request a certificate and then select User Certificate.
Here, we run into an issue. We can't specify a key strength. When you click submit you'll get an error.
"Your request failed. An error occurred while the server was processing your request."
Turns out, we'll need to open the site using Internet Explorer mode if using Edge. Chrome resulted in the same error. This error is generated because the Edge browser does not support Active X controls.
Let's enable Internet Explorer mode.
Configure Microsoft Edge to use Internet Explorer Mode
With Edge open, click the three dots in the upper right corner and then click Settings.
Type "Internet Explorer Mode" in the settings search box. Click "allow sites to be reloaded in Internet Explorer mode.
Change "Allow sites to be reloaded in Internet Explorer mode (IE mode)" to Allow and then click Restart.
'
Before opening the Web Enrollment site again, it'll need to be added to the trusted sites in Internet Properties.
Open the Web Enrollment site again.
Once open, click the three dots again and select "Reload in Internet Explorer mode." Sign in again if prompted.
Go ahead and enable "Open this page in Internet Explorer mode next time".
Try to generate the user certificate again. You'll see a few warning prompts but in the end, you'll see the certificate is available for download.
Conclusion:
Next week, we'll generate the Certificate Request for SQL Server. If you're following along, you'll need a machine with SQL Server 2022 Developer Edition installed and joined to the same domain as the CA. If you run into issues, no worries, revert to your snapshot and give it another try.
That's it for today. Have a great week!