I apologize for the delay with posts. I've been pretty busy at work keeping everything ship-shape. I finally got to a point where I could start thinking about some redundancy in our View environment and after going through some documents and other blogs, I decided to go with two load balancers on the outside connected to two security servers which in turn have two dedicated connection servers on the inside. Then on the inside I have two dedicated connection servers and two load balancers (btw, I've been testing out Zen Loadbalancers internally and so far, for open source, this program is pretty impressive - and it's still being developed!)
The one thing that had me a little stumped was the SSL certificate. I was going from one connection server and one security server to four connection servers and two security server. My original design was for view.<organization>.com to be reachable no matter where you were - inside or out and I wanted to keep it that way. Well, the problem was that the certificate I purchased was of the single domain variety for around $40 from GoDaddy. I loaded that cert on both the original security server and connection server and had my internal DNS doing eveything for both the servers. That worked out just fine... until now. I didn't want to ask to purchase a multi-domain SSL cert and I didn't want to risk re-keying the original with a CSR that had multiple subject alternative names (SANs) due to the fact that GoDaddy's support site said you had to purchase a multi-domain SSL to use SANs in the first place.
Well the answer it turns out, was our internal CA server. I kept the GoDaddy cert for the outside servers and installed a new internal cert on our internal connection servers. As it's being tested out now, everything is working just fine (just need to convert and upload the CA's root certificate to the zero clients and I should be good to go). Since it's not clearly documented anyways on how to actually create a multi-domain CSR, I thought I'd document the process here. This process is for a Windows Server 2008R2 machine.
Step 1) Enter MMC and open the certificates snap in
Step 2) Right-click, go to "All Tasks" --> "Advanced Options" --> "Create Custom Request"
Step 3) Start the enrollment process
Step 4) Select "Proceed without enrollment policy"
Step 5) Under "Template" select "Legacy Key" and keep "PKCS #10" selected under "Request Format"
Step 6) Under "Custom Certificate" hit "Properties"
Step 7) Under the "General Tab" type in "vdm" as the "Friendly Name"
Step 8) On the "Subject" tab, select the drop down for "Subject Name" and select "Organization". Type in the FQDN of the DNS entry point for your internal View clients (ie. view.yourdomain.com) and hit "Add". Then for the drop down menu under "Alternative Name", select "DNS" and being by entering the FQDN of the DNS entry point
Step 9) Then add a "DNS" entry under "Alternative Name" for each or your connection servers (this is vitally important if you're going to load balance connection servers).
Step 10) On the "Extensions" tab, under "Key Usage", add "Digital signature" and "Key encipherment"
Step 11) Then under "Extended Key Usage" select and add "Server Authentication" and "Client Authentication"
Step 12) On the "Private Key" tab and under "Cryptographic Service Provider", have only "Microsoft Strong Cryptographic Provider (Signature)" and "Microsoft RSA SChannel Cryptographic Provider (Encryption)" selected
Step 13) Under the "Key Options" section, choose your key strength. I chose 2048 and marked the key as exportable in the example.
Step 14) Click "OK" and it should bring you back to this screen
Step 15) Hit "Next" and select where you want to save the CSR. Make sure "Base 64" is marked as the format.
Congrats! You now have a CSR for your load balanced View environment created with Windows Server 2008R2. The next step is up to you, but I chose to have the cert signed with our internal CA to save some money. Getting a multi-domain certificate can be a little expensive. One of the drawbacks to having an internal CA signed certificate is you have to load the root CA on mobile devices but depending on your MDM platform, that could be an automatic thing for you.
3 comments:
Matt - Great post but I have a question. I am testing with the same setup but am having trouble understanding about what URLs/Addresses I need to put in the External URL box, on the external connection servers?
The External URL that you need to enter is the URL that people will be using to access your View environment. (ie. https://view.yourdomain.com:443). That's going to be the FQDN you enter in step 8 above when creating the CSR. Just remember, if you're using load balance security server for outside access, the process is similar but you'll need to (or should) create a secondary certificate for those servers.
Matt- Its really clean clarification that how exactly multi-domain CSR can create at Windows Server 2008R2 machine. We are going to share your step by step process at our SSL Installation Education blog. Being Platinum Certificate Authority that I wish that your blog post will help to other users.
- Thanks