locked
Generating Server Authentication Certificates RRS feed

  • Question

  • Hi All,

    I will be deploying ATA 1.6 in our dev environment in the coming weeka and just needing a bit of help clearing up some detail with the "how-to" aspect of certificate generation. The environment I will be installing into is AD based with it's own CA, so I won't be looking to use the self signed certs (unless someone can give me a good reason otherwise) and am wanting to get the certs provisioned from our own internal CA.

    1. IIS certificate is easy, no problems here as I've done quite a few.

    2. The Server Authentication template does not seem to be enabled within our environment, so I cannot use the Advanced Certificate Request form from the web portal as I can for the IIS CSR. I looked at generating a Server Authentication Certificate from the certificates MMC, however I am getting lost under the Certificate Enrollement Policy page as policies configured by my administrator do not include a Server Authentication type.

    I am getting the feeling I am going to need to either (a) get the Server Authentication template enabled or (b) generate a certificate template to facilitate this request. In either case I will need detail on what exactly is needed and why to get anything like this approved. Can anyone help with more detailed/specific instructions on what needs to be done to generate the certificate here?

    I guess the other option would be to use our internal CA for the IIS cert (trusted by all in the domain) and then use self signed for the ATA Center Service and import those certs to the ATA Lightweight Gateways?

    Tuesday, May 31, 2016 6:05 AM

All replies

  • My personal preference is using the same certificate for IIS as for ATA Service, based on the Web Server template, with the IP address being added to SAN.

    As my customers do not use SYSLOG, I only use self-signed certificates on ATA (Lightweight) Gateways.

    Tuesday, May 31, 2016 8:39 AM
  • Hi Nico,

    First I think would be to confirm or deny if this template you want is enabled in the first place. If you're in the MMC "Request New Certificate" wizard, on the window: "Active Directory Enrollment Policy", you can check "Show all templates". That gives you all the templates that are enabled for the CA(s) along with the reason why you can't select it. Depending on what you find, your next steps may be more clear.

    That said, it may be helpful to follow Michaels' advice and use the Webserver template. Despite its' name, a template is simply a collection of settings like key usage, key length, request handling policies and so on. The Webserver template has settings that in my experience can (and will) be used for a variety of servers, not just HTTP servers.

    Kind Regards,

    Tuesday, May 31, 2016 11:08 AM
  • Hey Guys,

    Thanks for the info. So Michael, just to clarify, I can use 2 x IIS certificates for this? No need to fuss about with getting approvals for constructing/enabling a server authentication templates? I guess that makes sense if all comms are on 443 by default.

    If that is the case, then I'm just going to produce 2 x CSRs from IIS and submit them to the CA using the existing Web Template.

    Hi J, I had a look at the "Show All Templates" list and there is a "Computer" template which is unavailable, but nothing called "Server Authentication". Looking at the "Computer" and "Web Server" templates, looks like they are more or less interchangeable?

    https://technet.microsoft.com/en-us/library/cc755033(v=ws.11).aspx 


    • Edited by Nicoloks Tuesday, May 31, 2016 11:26 PM
    Tuesday, May 31, 2016 11:25 PM
  • Hi Nico,

    The Computer template is traditionally used for clients and workstations to authenticate itself, for instance for wireless authentication. Webserver is more popular for a variety of server types. The main differences between Computer and Webserver certificate templates are:

    - Computer is valid for 1 year, Webserver for 2.

    - Webserver takes DH SChannel Cryptographic provider as a CSP in addition to RSA SChannel, Computer only the latter.

    - Computer takes the Machine Name from Active Directory as the Subject Common Name, Webserver allows you to bring in a free format subject name.

    - Computer has Client and Server Authentication as enhanced key usages, Webserver only Server Authentication.

    You may also want to consider creating your own custom template. It's considered best practice to do so even if you don't change any of the attributes.

    Kind Regards,

    Wednesday, June 1, 2016 6:06 AM
  • To clarify my answer, Nico, I use the SAME web server certificate for both purposes and I do not see any security risk in doing so. Moreover, I typically do not want the ATA Center to have 2 IP addresses, so I use just 1. IIS tuns on 443 and Service on 8443. No problem there.
    Wednesday, June 1, 2016 2:11 PM