Just to clarify - there's no such thing as "IIS certs". Certificates for setting up a HTTPS session require only single OID: server authentication. The wizard in IIS generates a certificate request that requests a cert with only that OID, and a Windows CA has a built-in template called "web server" that meets that request. So everything "just works". But a "server authentication" cert can be used for just about anything that requires the remote machine to identify itself (Secure SMTP, FTPS, HTTPS etc). There's nothing particular about this type of cert that "ties" it to IIS
There are plenty of other OIDs that exist as well (the ability to sign other certificates being one of the most common/obvious, file encryption is another popular one, client authentication e.g. for 802.1x is another). So, when you request a cert to use for a particular service, you need to know what capabilities that cert needs to have, and fashion a request appropriately Cheers Ken -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Wednesday, 30 October 2013 7:28 AM To: [email protected] Subject: Re: [NTSysADM] Win 2012 RDS and locally issued certificates - some observations Using OpenSSL as a root cert is a fine idea, especially with a two-tier infrastructure where you keep the root mostly shut down. Using a MSFT CA as a secondary is a really good idea - it doesn't just serve up IIS certs, it also serves up about every kind of cert needed for an infrastructure, including machine certs, user certs, network equipment certs, etc. I recommend you take a hard look at the MSFT offering in this space. Kurt On Tue, Oct 29, 2013 at 1:17 PM, Michael Leone <[email protected]> wrote: > On Tue, Oct 29, 2013 at 3:53 PM, Michael Leone <[email protected]> wrote: >> >> >> >> >> On Tue, Oct 29, 2013 at 2:26 PM, Ken Cornetet <[email protected]> >> wrote: >>> >>> You are making this WAY too hard. Install certificate servicer on one of >>> your windows servers. Make it a root CA for the domain. Use IIS management >>> console and/or the “certificates” MMC to request and install certificates. >>> Done. >> >> >> Nope, don't want a Windows server as a CA. I have CA that has been working >> for years. >> >> Note that I am NOT speaking about installing certs for IIS. Been doing that >> for years, and it's always worked. >> The problem was that the certificate I was issuing for IIS could NOT be >> brought into the "Deployment Options" for RDS; the error was "the specified >> certificate is not valid. The certificate properties must match the >> requirements of the role service."". > > To put it another way: > > I have been using this Linux CA (and this config) to issue local certs > for years. IIS is always happy with them; they show up as valid; the > traffic is always https; etc. The problem was that the properties of > the cert that IIS didn't mind, were *not* the properties that the RDS > Deployment wanted in a cert. So I had to change my Linux CA config to > add the properties that RDS wanted. That was the point of this email. > :-) > > If I knew openssl better, I'm sure I could have changed the config a > long time ago, to add any extended key capability that the requesting > cert asked for. I hadn't set it up that way (never knew I hadn't), and > it has never been an issue, not for any of the certs we've been using > internally for the last 3 years. > > My post was just a heads up for anyone else issuing their own certs, > using openssl, that the cert needs those extended key capabilities for > RDS to work,. They are not needed for IIS to work, based on the 3 > years I've been using my certs correctly without those extended keys. > :-) > >
