Windows 2012 Direct access ip-https certificates

I'm looking at setting up Windows 2012 Direct Access with a single adapter behind a NAT device.

The query i have is over using a public/Third-party wildcart SSL cert on the DA server for ip-https.

We already have a wildcart ssl cert which is installed on another iis webserver, i know it's possible to export that cert

as a pfx from the Personal Store on the iis host and to supply a private key as part of the process.

Would this method be suitable for importing the cert onto the DA server, again into the Personal Store for the computer in the

certificate snapin. Is that all there is to it for setting up iphttps or does there need to be a binding or CSR process within iis itself

on the DA server, if so what are the steps for doing this. Using a wildcart ssl cert from a public CA for DA 2012 isn't very well documented.

June 11th, 2013 5:27pm

Hi,

Thanks for posting in Microsoft TechNet forums.

I'll move the thread to our Security forum since the issue is certificate-related.

Regards

Kevin

Free Windows Admin Tool Kit Click here and download it now
June 13th, 2013 11:07am

Yes you can use the same cert.

You need to configure the DA service to use the cert though.

http://technet.microsoft.com/en-us/library/jj574174.aspx

and

http://technet.microsoft.com/en-us/library/jj574180.aspx

June 13th, 2013 2:50pm

Isn't it true that in order to use a third party SSL certificate with a direct access server, the server needs to have a public IP address and cannot be behind a NAT device?

I've read conflicting information about this, my NATted DA server works fine with the self signed cert & dyndns name I set up during the "simple" technet setup, but i'm currently trying to use a wildcard cert and my IPHTTPS listener fails.

Thanks

Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2014 6:46pm

No, you can use a public "third party" SSL cert eventhough the server is NAT'ed.

The client checks:

- If the cert is valid (CRL check, within valid to and from)

- If the cert has the same name as the name you are connecting to, e.g. if you connect to da.fabrikam.com the cert needs be da.fabrikam.com (or *.fabrikam.com)

The server, in turn, needs to trust the certificate chain for the certificate in order to use it, e.g all intermediate cert(s) and root cert.

February 4th, 2014 3:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics