Install a Network Location Server Certificate on the DirectAccess Server

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

A DirectAccess server acting as a network location server must obtain an additional customized Secure Sockets Layer (SSL) certificate using the Web Server certificate template.

To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to obtain a customized certificate. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To install a certificate for network location

  1. On the DirectAccess server, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.

  2. Click File, and then click Add/Remove Snap-ins.

  3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

  4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. Click Next twice.

  7. On the Request Certificates page, click the Web Server certificate template, and then click More information is required to enroll for this certificate.

    If the Web Server certificate template does not appear, ensure that the DirectAccess server computer account has enroll permissions for the Web Server certificate template. For more information, see Configure Permissions on the Web Server Certificate Template.

  8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.

  9. In Value, type the fully qualified domain name (FQDN) for the intranet name of the DirectAccess server (for example,, and then click Add.

  10. Click OK, click Enroll, and then click Finish.

  11. In the details pane of the Certificates snap-in, verify that a new certificate with the FQDN was enrolled with Intended Purposes of Server Authentication.

  12. Right-click the certificate, and then click Properties.

  13. In Friendly Name, type Network Location Certificate, and then click OK.


Steps 14 and 15 are optional, but make it easier for you to select the certificate for network location in Step 3 of the DirectAccess Setup Wizard.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.