On Tue, Oct 29, 2013 at 7:38 PM, Ben Scott <[email protected]> wrote:
> On Tue, Oct 29, 2013 at 6:34 PM, Ken Schaefer <[email protected]> wrote:
>> So, when you request a cert to use for a particular service, you need to know
>> what capabilities that cert needs to have, and fashion a request
>> appropriately
>
> Computers are so picky.
Heh
Here's the properties of the domain wildcard request I made with IIS,
on my RDS session host:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
So in my case, the fault was mine, since my OpenSSL config wasn't set
to honor what the request was asking for, but instead just gave it
what was explicitly listed in my config. OpenSSL can do the equivalent
of "templates", i.e., assign different key usages. I just didn't have
it set correctly. Once I made sure the cert I issued did have those
requests generated by IIS, then RDS happily accepted the cert. Mind
you, RDS didn't list it as "trusted" without adding the thumbprint via
WMIC. (I guess this "trusted" is different from what I think of as
"trusted", - if I have a trusted root CA cert, I would think it to be
trusted. But the list didn't change to "trusted" in RDS until I issued
that WMIC command, even though I had already imported the root CA
cert.
