Using OpenSSL as a root cert is a fine idea, especially with a two-tier infrastructure where you keep the root mostly shut down.
Using a MSFT CA as a secondary is a really good idea - it doesn't just serve up IIS certs, it also serves up about every kind of cert needed for an infrastructure, including machine certs, user certs, network equipment certs, etc. I recommend you take a hard look at the MSFT offering in this space. Kurt On Tue, Oct 29, 2013 at 1:17 PM, Michael Leone <[email protected]> wrote: > On Tue, Oct 29, 2013 at 3:53 PM, Michael Leone <[email protected]> wrote: >> >> >> >> >> On Tue, Oct 29, 2013 at 2:26 PM, Ken Cornetet <[email protected]> >> wrote: >>> >>> You are making this WAY too hard. Install certificate servicer on one of >>> your windows servers. Make it a root CA for the domain. Use IIS management >>> console and/or the “certificates” MMC to request and install certificates. >>> Done. >> >> >> Nope, don't want a Windows server as a CA. I have CA that has been working >> for years. >> >> Note that I am NOT speaking about installing certs for IIS. Been doing that >> for years, and it's always worked. >> The problem was that the certificate I was issuing for IIS could NOT be >> brought into the "Deployment Options" for RDS; the error was "the specified >> certificate is not valid. The certificate properties must match the >> requirements of the role service."". > > To put it another way: > > I have been using this Linux CA (and this config) to issue local certs > for years. IIS is always happy with them; they show up as valid; the > traffic is always https; etc. The problem was that the properties of > the cert that IIS didn't mind, were *not* the properties that the RDS > Deployment wanted in a cert. So I had to change my Linux CA config to > add the properties that RDS wanted. That was the point of this email. > :-) > > If I knew openssl better, I'm sure I could have changed the config a > long time ago, to add any extended key capability that the requesting > cert asked for. I hadn't set it up that way (never knew I hadn't), and > it has never been an issue, not for any of the certs we've been using > internally for the last 3 years. > > My post was just a heads up for anyone else issuing their own certs, > using openssl, that the cert needs those extended key capabilities for > RDS to work,. They are not needed for IIS to work, based on the 3 > years I've been using my certs correctly without those extended keys. > :-) > >
