Can I use Active Directory as a CA for creating test SSL certificates for IIS?

active-directory iis ssl openssl certificate
10,229

Solution 1

You can add trusted roots through group policy. So make a self signed cert, roll this out as a trusted root, then any cert you sign with it will be trusted.

Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

Setting up the MS Certificate Authority is not required

Solution 2

If you have a server running the AD CS role issue a certificate, then it isn't self-signed anymore, it's issued by your internal CA. To answer the larger point, yes you can do this. You'll have to install the Active Directory Certificate Services role and create/distribute te certificates from there. No need to touch OpenSSL for this use case.

Solution 3

To answer your question exactly: no, you can't create a self-signed cert using Active Directory. However, I think your question is mixing different things.

  • Self-signed certificates are NOT issued by an authority (that's why they are self signed)
  • You can integrate a certificate authority with Active Directory in order to automatize server and users certificates.

For creating self-signed certs, you have plenty of options. The simplest one, if you're a windows shop, is to do it through IIS (see this: http://technet.microsoft.com/library/cc753127%28WS.10%29). You can also do it with OpenSSL (quite messy but works), with the makecert.exe tool that comes with the .NET SDK or with a number of similar tools (I use my own tool for this but, that's just me).

For integrating a CA with AD, the simplest way is to install the certificate services role on a machine and configure it for AD integration (although in your case, it doesn't seem to be a necessity unless you want to use it for other things).

Finally, you might want to create your own root that isn't integrated with AD. Unless you have to work with client certificate authentication, have many different servers (with different names) that you want to use in testing (and perhaps with automated testing) or if you want to be able to test some aspect of your application that uses special certificate properties or chaining, it's probably not worth the trouble.

In your case, assuming I understood it correctly and all you want to do is test your web app with a certificate, all I would do is generated a self-signed cert (using whatever tool you like best) and then install that certificate in the correct store on your test machine (to avoid certificate warnings and errors)

Share:
10,229

Related videos on Youtube

Dylan Beattie
Author by

Dylan Beattie

Updated on September 18, 2022

Comments

  • Dylan Beattie
    Dylan Beattie over 1 year

    We have an internal test version of our website, which is available (via internal DNS zones) as www.mysite.com.test

    I'd like to create an SSL certificate for www.mysite.com.test, so that our testers don't get an invalid certificate warning (the 'real' certificate is bound to www.mysite.com)

    I know how to create self-signed certs using OpenSSL, but I'm wondering if there's some way of associating the certificate authority with our Active Directory domain, so that any user on a PC that's a member of the domain will accept the self-signed cert without having to explicitly install it (or explicitly install the self-signing certificate authority as a trusted authority)

    Any ideas?

  • JamesRyan
    JamesRyan almost 12 years
    You don't need the MS certificate authority to do this if you have already made the certificates using OpenSSL
  • JamesRyan
    JamesRyan almost 12 years
    He isn't actually asking to use AD as a CA. He is asking how to roll out certificates to a domain. His title is wrong but you don't answer the actual problem.
  • Dylan Beattie
    Dylan Beattie almost 12 years
    Thanks. The problem here is that it isn't a test machine, it's about two dozen people who are involved in testing various things across a number of different products, which means installing and authorising the certificate becomes a bit of a headache. Thanks for the advice, though - certificate services looks like a good idea...
  • Dylan Beattie
    Dylan Beattie almost 12 years
    Fantastic. Exactly what I was looking for but didn't know how to ask for. :)
  • MDMarra
    MDMarra almost 12 years
    @JamesRyan Absolutely correct, I read the last paragraph of the question as him wanting a CA that integrates fully with AD. I didn't mean to imply that you can't distribute a cert made in OpenSSL - just that it would be unnecessary with an ADCS server.
  • Stephane
    Stephane almost 12 years
    Test doesn't mean it's limited to a single system. It means it's limited to a specific security zone in which you accept additional risk as the price paid for the flexibility necessary for testing. It's pretty common to have two different CAs used for a single application: of is used for testing only (and is generally a private one since it'y way cheaper this way) the other being a public one that is used for general deployment.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenSSL Verify Peer (Client) Certificate in C++
Error while creating self-signed SSL certificate
SSL certificate not accepted
SSL certificate generated with OpenSSL not working on NSS
Unable to load Key pair from p12 certificate - OPENSSL error
SSL issue: The private key did not match the public key provided
Can't verify an openssl certificate against a self signed openssl certificate?
openssl p12 generation failing with CA bundle chain option
Can it be found out, what websites/domains an SSL (pem) certificate approves of?
Decrypt PEM containing key and certificate