locked
Public Cert with CRL and UAG DA RRS feed

  • Question

  • Okay, this may be a dumb question to most. If I use a public Cert for my CRL, I'm going to simply give it a name of my choosing (say ... https://dacrl.mycompany.com) and link it to the internal IP of my UAG server? Or would it be linked to the external IPs? Thanks

    Bill

    Wednesday, April 4, 2012 3:59 PM

Answers

  • UAG will handle that for you.

    What you do is that you put the public cert (with private key) in the Local Machine / Personal Store. Then in the DA wizard where you choose the IPHTTPS cert the certificate picker will show the cert you installed. UAG will then map the certificate correctly for you. In effect it will be mapped ot the first of the two consecutive IP addresses you assign to DA.


    Hth, Anders Janson Enfo Zipper

    • Marked as answer by Beachnut_ Thursday, April 5, 2012 7:55 PM
    Thursday, April 5, 2012 7:44 PM

All replies

  • If you use a public cert (something you bought from, say, Verisign, Thawte, GoDaddy etc), you don't need to publish CRL. For public certs CRL is handled by whoever you bought it from.

    On the other hand, if it is a certficate that you created in your internal PKI and use it publically, then you need to publish CRL. The public URL should then match whatever the cert has for CRL HTTP path.


    Hth, Anders Janson Enfo Zipper

    Thursday, April 5, 2012 8:51 AM
  • Yes, public hosting service (Verisign, Entrust, GoDaddy, etc) will handle the CRL. Understand that part. The part I'm not completely sure about is where to link the public cert once I get it. On Step 2 of the Direct Access Server Configuration Wizard, you browse to the location of the public cert to authenticate DA clients over IP-HTTPS.

    https://skydrive.live.com/#cid=3BB15AC1C2818230&id=3BB15AC1C2818230%21128

    I guess I was thinking that I needed to link this cert to one of the IPs on the UAG server, -and- link it to a public URL ... something like https://myIPHTTPS.mycompany.com . But maybe not. On this page of the wizard, I simply select the public cert, and behind the scenes, the wizard links it to the IP-HTTPS listener on the UAG server? Thanks to help me understand this ...


    Bill

    Thursday, April 5, 2012 5:13 PM
  • UAG will handle that for you.

    What you do is that you put the public cert (with private key) in the Local Machine / Personal Store. Then in the DA wizard where you choose the IPHTTPS cert the certificate picker will show the cert you installed. UAG will then map the certificate correctly for you. In effect it will be mapped ot the first of the two consecutive IP addresses you assign to DA.


    Hth, Anders Janson Enfo Zipper

    • Marked as answer by Beachnut_ Thursday, April 5, 2012 7:55 PM
    Thursday, April 5, 2012 7:44 PM
  • Fantastic ... thank you so much Anders!

    Bill

    Thursday, April 5, 2012 7:55 PM