Creating a broadly compatible, modern SSL certificate with Active Directory Certificate Services

After recently hitting the default two year expiration point with our SharePoint development environment’s AD CS-issued SSL certificates, I set about updating that environment with a new five year template. I took this opportunity to see if I could make it as good as possible without breaking compatibility with anything. I will discuss some of these compatibility issues along the way. I will also make the certificate exportable, make sure it’s using the SHA256 hash (SHA1 will be deprecated in the near future), change the Certificate Authority (CA) configuration so that HTTP Distribution Points will be contactable from “outside the network”, and set permissions on the template in a way that it will be generally usable.

Steve Peschka tackled some of these basics about 18 months ago, but as he notes, his posts covers the simplest updates you can make. I think a few other options are worth considering. I don’t pretend to know all that there is to know about Active Directory Certificate Services (AD CS), or PKI in general, but I do think we can advance considerably beyond the default with a few changes. This is not a well-documented subject, so I hope to pull a few disparate resources together and propose an improved template. If you think anything here can be improved further, please post in the comments and I’ll try to incorporate that feedback.

Continue reading “Creating a broadly compatible, modern SSL certificate with Active Directory Certificate Services”

The stuff around SelfSSL

Working with software developers, I’ve probably seen SelfSSL used more often than in most lines of work, and also misuse of it. The purpose of this article is to draw some boxes around the different areas that come in to play when a site is self-certified.

Browser

Most obviously, the user requests the page through the browser, but the browser also warns of Certificate/DNS name mismatches. Unless the certificate was issued to the address through which the site is being browsed, the browser will produce certification warnings. This behaviour is expected and desirable as part of browser security. Continue reading “The stuff around SelfSSL”