How to obtain an SSL certificate

Refer to the Microsoft web site for the latest updates to this procedure.

[.NET] Using SSL with ADAM

Obtaining a certificate

How to obtain a server certificate on a Windows 2003 Server. If you already have a certificate, import it into your "Personal store" and skip to the second section on Using the certificate with the ADAM service.

To create a certificate you need to install IIS and Certificate Authority. For information on how to install IIS refer to the Microsoft website. To install a Certificate authority select the Certificate services check box.

Note: IIS should be installed before or at the same time as you install the certificate services.

Once the installation is complete, request a certificate using your browser (address: http://localhost/certsrv):

  1. Click Request a certificate.
  2. Click Advanced certificate request.
  3. Click Create and submit a request to this CA.
  4. In the Name box, type the full DNS name of the server.
  5. Make sure Type of certificate is "Server authentication certificate".
  6. Select PCKS10 as the format.
  7. Optional: Optionally, fill in the other information.
  8. In the Friendly name text box, write the full DNS name of the server.
  9. Click the Submit button.

You have now created a certificate request. To create a certificate we need to process the request:

  1. Open Control Panel > Administrative Tool > Certification Authority.
  2. Browse to the Pending requests folder.
  3. Locate the certificate request, right-click it, and click All tasks\issue.
    The certificate has now been created and resides in the Issued certificates folder.

Download and install the certificate:

  1. Open http://localhost/certsrv.
  2. Click View the status of a pending certificate request.
  3. Click the certificate request.
  4. Click the certificate to install it.

Using the certificate with the ADAM service

To let our ADAM service use the certificate we need to put the certificate in the ADAM service's personal store:

  1. On the Start menu, in Run, type mmc.
    This open the Microsoft Management Console.
  2. Click File > Add/Remove snap-in.
  3. Click Add and select Certificates.
  4. Select Service account.
  5. Select Local computer.
  6. Select your ADAM instance service.
  7. Add a new "Certificate" snap-in, but this time select "My user account" instead of "Service account".
  8. Click Close and OK.
  9. Open the "Personal"-folder under the "Certificates - Current user"-tree.
  10. Select the certificate and copy it into the same location under "Certificates - adam instance name".
  11. Give the ADAM service account read permissions to the key using winhttpcertcfg (best practice) or by browsing to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
    If these permissions are not set correctly you will get an error in the event log: Schannel ID: 36870 - "A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x6.
  12. Restart your ADAM instance.

Verifying that SSL is working

To verify that SSL is working with ADAM:

  1. Run the ADAM Tools Command Prompt from your ADAM program group.
  2. Type "ldp" and press Enter.
  3. Click Connection > Connect.
  4. Type the DNS name of your server in the server box.
    localhost will not work as the DNS name is checked against the certificate
  5. Enter the SSL port of your ADAM installation (636 or 50001 or whatever you chose during the installation of ADAM).
  6. Select the SSL check box and click OK.
If the installation was successful, you should get a lot of text in the right window and be able to bind using the "Connection \ bind..."-functionality.
If you still get the 8009030e No credentials are available in the security package after the import, or you get an error when importing the keys into the LOCAL_MACHINE\Personal store, check that you/administrators have full access to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. Try importing the certificates directly into both LOCAL_MACHINE\Personal and ADAM\Personal instead of copying them for the Current_user store.