by @chrispanas

Get rid of those annoying self-signed certificates with Microsoft Certificate Services, Part 1

Guillermo Musumeci


If your role includes deploying applications in the data center, such VMware vSphere, vCenter or vRealize, or other applications that uses self-signed certificates, you will suffer annoying messages every time you open the application in your browser, including “Your connection is not private” or “ERR_CERT_AUTHORITY_INVALID”

Your connection is not private error

Also, sometimes you can’t even visit the site, in particular when you receive the mega-annoying HSTS message “You cannot visit server.kopicloud.local right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.”.

Or maybe you receive the lovelyserver.kopicloud.local normally uses encryption to protect your information. When Google Chrome tried to connect to server.kopicloud.local this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be server.kopicloud.local, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.”

Hello? I’m not a fricking hacker! It’s me trying to do my job!!!

In this post, I’m going to show how to configure Certificate Services in Windows Server 2016 or Windows Server 2019 to deploy a Certificate Authority integrated with Active Directory, to replace your self-signed certificates.

This step by step process will take some time, however, it is described in detail, so you can build your certificate servers and start working ASAP.

The heart of the infrastructure component to deploy PKI (public key infrastructure) is the certificate server, and here we have two options: Enterprise CA or Standalone CA. A few differences between both are listed below:

Enterprise CA

It is integrated with Active Directory. The server will use domain services for certificate management, integrates with the directory for naming and authentication, and…



Guillermo Musumeci

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | ex-AWS | Entrepreneur | Book Author | Husband & Dad of ✌