none
DirectAccess 2012 and wildcard certificate RRS feed

  • Question

  • Hi,

    I have DA 2012 implementation for both W7 and W8, currently testing. I have installed our wildcard certificate in Local computer personal store and verified that all certification path is fine. Certificate is Entrust certificate which we use also on our UAG + UAG DA.

    Although I can see the certificate in certificates snap-in, I cannot select this in the configuration wizard on IPHTTPS configuration. The certificate is not shown in that list - actually only certifcate visible in that list is the self-signed SSL certificate which was created by the configuration on very first time.

    Any tips?

    BR, TommiK

    Wednesday, April 24, 2013 9:04 AM

All replies

  • The first thing I would check is the correct intermediate/root certs for the Entrust cert is installed. Start with intermediate. If the cert chain can't be resolved the cert will not be presented.

    If this is the case, then you will most likely have the same issue on the clients as well. As far as I can remember winhttp does not automatically download intermediate certs as IE does.


    Hth, Anders Janson Enfo Zipper

    Wednesday, April 24, 2013 9:25 AM
  • Hi,

    I have verified in the beginning that all intermediate and root certs are installed and also the certificate chain is ok. Still I cannot select to be used as IPHTTPS -certificate - it is not on the list.

    BR, TommiK

    Wednesday, April 24, 2013 11:05 AM
  • Hi Amig@. Extracted from http://technet.microsoft.com/en-us/library/ee406213.aspx#manual

    The IP-HTTPS certificate for the Forefront UAG DirectAccess server must have the following properties:

    • In the Subject field, either an Internet Protocol version 4 (IPv4) address of the Internet interface of the DirectAccess server or the fully qualified domain name (FQDN) of the IP-HTTPS uniform resource locator (URL).
    • For the Enhanced Key Usage field, the Server Authentication object identifier (OID).
    • For the CRL Distribution Points field, a certificate revocation list (CRL) distribution point that is accessible by DirectAccess clients that are connected to the Internet.
    • The IP-HTTPS certificate must have a private key.
    • The IP-HTTPS certificate must be imported directly into the personal store.
    noteNote:

    Forefront UAG DirectAccess allows the use of IP-HTTPS certificates that have wildcards in their names. These must be configured in the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard

    Check that the certificate has been imported with the private key

    Checj also in the purposes of the certificate that the "Server Authentication" is explicitly marke. I have seen in other scenarios (not DA) that a certificate marked with "All purposes" is not eligible because the process is checking for the Server OID


    // Raúl - I love this game

    Wednesday, April 24, 2013 11:59 AM
  • I had this same issue, and I think it was because DA will prefer to use a self signed certificate. It took me several tries to get the wildcard cert to show up as an option in the wizard. I think the trick that did it was removing the self signed and local CA assigned certs from the store (export first, then delete). Then once it had only one cert from which to choose it worked. I may have also had to remove the current configuration before it would take. I can't quite remember on that one. If the wildcard cert is in the store the first time you run the wizard it should be usable.
    Wednesday, April 24, 2013 2:37 PM