On Tue, Oct 29, 2013 at 3:53 PM, Michael Leone <[email protected]> wrote: > > > > > On Tue, Oct 29, 2013 at 2:26 PM, Ken Cornetet <[email protected]> > wrote: >> >> You are making this WAY too hard. Install certificate servicer on one of >> your windows servers. Make it a root CA for the domain. Use IIS management >> console and/or the “certificates” MMC to request and install certificates. >> Done. > > > Nope, don't want a Windows server as a CA. I have CA that has been working > for years. > > Note that I am NOT speaking about installing certs for IIS. Been doing that > for years, and it's always worked. > The problem was that the certificate I was issuing for IIS could NOT be > brought into the "Deployment Options" for RDS; the error was "the specified > certificate is not valid. The certificate properties must match the > requirements of the role service."".
To put it another way: I have been using this Linux CA (and this config) to issue local certs for years. IIS is always happy with them; they show up as valid; the traffic is always https; etc. The problem was that the properties of the cert that IIS didn't mind, were *not* the properties that the RDS Deployment wanted in a cert. So I had to change my Linux CA config to add the properties that RDS wanted. That was the point of this email. :-) If I knew openssl better, I'm sure I could have changed the config a long time ago, to add any extended key capability that the requesting cert asked for. I hadn't set it up that way (never knew I hadn't), and it has never been an issue, not for any of the certs we've been using internally for the last 3 years. My post was just a heads up for anyone else issuing their own certs, using openssl, that the cert needs those extended key capabilities for RDS to work,. They are not needed for IIS to work, based on the 3 years I've been using my certs correctly without those extended keys. :-)
