Can Orion use an AD CA issued SSL cert?

From what I've been reading (e.g. here) AD CA can be used to issue SSL certs that will be implicitly trusted by browsers on domain-joined computers.

This seems to indicate that Orion could use such an SSL cert as well, without needing a "retail" certificate from an external paid service - as long of course as Orion is accessed internally and not over public Internet with public DNS.

Has anyone been successful in that? If so, would you have the detailed steps on how to do it?

P.S. A somewhat similar question is this: if one installs a standalone Windows Server with AD DS and CA role (with "web enrollment" option) from scratch with all default options, will that "web enrollment" IIS site have an SSL cert, and will it be trusted by Edge or Chrome on the same server?

Thanks!

Find more posts tagged with

certificate

active directory

orion

ssl

Accepted answers

All comments

mesverrum

This is more a general web hosting question than an orion specific one, but i've seen this done in many environments.

You create a cert on your domain's issuing server for the hostname or web address that you want your users to connect to, include any necessary subject alternate names, load that cert to the Orion web server and set the IIS to use the one your domain issued. Assuming your issuing server is set up correctly then all domain joined computers would automatically trust any website with a correct cert issued from the domain.

As far as detailed steps, all of that would be from MS docs like this https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis

Not sure about your second question, i think for that scenario you are probably over thinking it. A server would always trust certs that it creates for itself, but in that scenario no external clients would trust the cert unless they were manually told to do so.

- Marc Netterfield

Loop1: SolarWinds Training and Professional Services
My GitHub: Mesverrum

akhasheni

Thanks - I am not sure the article (How to Set Up SSL on IIS 7 or later) applies in my case as it doesn't touch on using a local CA (Certificate Authority). The SSL bindings seem to be fine.

There is a 10 20-year cert that appears to have been generated when deploying / configuring Orion for the first time, and when I used it in the browser on the local server (the one that runs Orion), the cert is trusted. This, to me, means that SSL bindings are OK and the IIS config is fine. This is the cert:

(On a different machine on the network - "not trusted" - I imagine because that cert is not installed on that different machine. Suppose we could push that cert out via GPO or even manually install it - yet that defeats the purpose of having an AD CS/CA config.)

When I try to request (and then use) a cert issued by the local CA (AD CS/CA), via "Create Certificate Request" in IIS:

... saving it to a text file, then pasting the request to the CA's web enrollment UI:

... then "issuing" it in CA UI on the CA server, retrieving it in DER or Base64 format, "completing certificate request" in IIS and importing that cert, and then binding to the SSL port for Orion:

...it's not trusted, the cert not valid: "<strong>NET::ERR_CERT_COMMON_NAME_INVALID</strong>", "Your connection is not private", etc.

This server could not prove that it is gmcorion.*****.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

...despite seemingly showing as "valid" in IIS:

I am quite at a loss what to do next. I am assuming the issue is with the CA and AD setup - but not sure where to go from here.

christopher.t.jones123

@akhasheni, first step is that you need to ensure that you install the issuer as a trusted root certificate on all clients that will be access the website via that URL and SSL certificate. If they're Windows clients thats easy enough through GPO (see link). Once added as a trusted root certificate all certificates issued by that CA will automatically be deemed trusted by the client. Additionally when requesting the certificate you need to also ensure that you add SAN entries that match the url you will inputting into the browser (here's a good article for that). Overall, your problem isn't SolarWinds specific, its more around SSL certificate management, issuance, and how your internal PKI is set up as @mesverrum alluded to.

christopher.t.jones123

@akhasheni, as @mesverrum alluded to this issue is more related to your internal certificate management, issuance, and PKi configuration. Essentially first thing is to ensure that the issuing CA is added a trusted root certificate to all clients that will be access the SSL protected URL, if these are Windows clients that's easy enough to do via GPO (see here). The next thing you'd need to look at is what the error is telling you regarding the SAN, you need to request the certificate and include SAN entries as an additional attribute that match the url that clients/users will be using to access the site (see here).