Sometimes application troubleshooting when it comes to digital certificates can lead you to doing an awful lot of reading. In a nutshell there are four things you need to have clear in your mind.
- Does the certificate need to be trusted outside of your organisation?
- Does the certificate have a revocation list that needs to be checked outside of your organisation?
- Is the certificate common name used as a URL?
- Does that URL need to be resolved outside of your network?
Let me explain:
- Ok hands up ‘Outside of your organisation’ means different things to different people. In a nutshell are the certificates parent(s) in the computers trusted root store? If you have a certificate from the likes of VeriSign its parents will be in virtually every computers trusted root store globally. If the parents are an internal certificate authority then assuming it is an Enterprise CA (Microsoft) then the certificate trust will be distributed to all machines in the Active Directory. If you have multiple Active Directories you have work to do to distribute the certificates via group policy in each one. Microsoft Windows 2008 R2 Direct Access assumes that the client is ‘within your organisation’ so an internal certificate authority is fine as long as the Active Directory the client machine is a member of trusts the Certificate Authority and that the client machine has enrolled for a certificate.
- Typically applications check the revocation list, the URL is stamped in the certificate and is typically an HTTP address (internally LDAP is used). By default an internal Microsoft certificate server will NOT publish an externally accessible CRL path. In the case of Direct Access the CRL list is checked and an external path is most certainly needed. This requires a change the certificate server and you need to reissue any certificates so they have the new stamp. While you’re doing that you should also add an external AIA path (this allows expired parent certificates to be replaced when they are renewed).
- Some applications check that the name matches the site you are accessing, this is a common mechanism to validate you have not be led down the garden path and think you are accessing your bank and in fact it is a fake site. Other applications actually use the common name of the certificate to determine the target. Direct Access does this to access the direct access server so it’s very important when requesting the certificate to think about the name to use.
- By ‘outside of your network’ I mean will the client be resolving names using the internal DNS (Inside your network) or the external DNS (outside of your network). So again highlighting Direct Access the client is most certainly outside of the network and has a certificate (point 2) with a common name that tells it where to go. So the common name must be able to be resolved externally.
