SSL Certificates - Windows Certificate Service
1.1 Overview
You will be creating a certificate on your Domain Controller and binding it to the ADC endpoint.
1.2 Prerequisites
- Active Directory Certificate Services installed
- Certificate generation uses SHA256 rather than
SHA1
1.2.1 Generating SHA256 Certificates from Windows
Most modern browsers will complain if a certificate uses the default SHA1 hashing algorithm.
The following steps will configure your server to generate certificates using SHA256 hashing. Or you can create a copy of the Web Server template and configure it appropriately.
1. Open an elevated (run as administrator) command prompt.
2. Run the following commands:
certutil -setreg
ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
1.3 Create a Suitable Certificate
This section shows one method for creating a suitable certificate. You can use any method you are familiar with, provided the Subject Name and SAN match the pattern described here.
The following diagram illustrates the settings used in this
document: the server hostname will be “adc-server”, domain is “dev.my1login”
and the ADC will be assumed to be on its default port of 47810.
The certificate’s subject must match the FQDN of the ADC Server, in this case
“adc-server.dev.my1login”.
The certificate must also have a valid SAN (Subject Alternative Name) otherwise Chrome version 58 or later will report a security exception.
1.4 Certificate Generation using AD Certificate Services
This assumes that you have installed the AD Certificate Services on the domain controller and that you've generated a root CA for the domain.
This process should be carried out on the ADC server and will result in the certificate being generated an installed on the server.
The screen shots in this section show the configuration for the above example.
- On the ADC server, run MMC and open the
Certificates snap in
- Select the Computer account / Local computer
options
- Drill down to the Personal / Certificates folder
- Right click on Certificates and select All Tasks -> Request New Certificate…
- Click Next on the initial screen.
- Click Next on the Select Certificate
Enrolment Policy screen
You will now
configure the Web Server template.
If you do not
see the Web Server template, then either:
The template may not have been added to the Certification Authority’s
list.
Right click on Certificate Templates, click New / Certificate Template to Issue
and add the certificate template.
- or -
Your user/computer does not have permission to use (Enrol) that template. You will need to have the correct permissions set against the template. This is managed from Certificate Templates Console. Details on using this tool may be found at
https://technet.microsoft.com/en-us/library/cc772457(v=ws.11).aspx
If you can see the Web Server template:
- Check the tick box beside the Web Server
template
- Click on the blue text, beside the information icon, to launch the configuration screen.
We have found that the following settings work with Chrome’s
SAN requirements:
- In the Subject Name area, select the Type as
Common name and enter the FQDN of the ADC server.
- In our example this is adc-server.dev.my1login
· In the Alternative Name area, select the Type as DNS and also enter the same FQDN of the ADC server.
· Click the Add > buttons beside each area.
· Click Ok
· Ensuring that the Web Server tick box is checked, click on Enroll.
You should now see the certificate in the snap-in.
1.5 Using a Publicly Issued Certificate
If you do not have AD Certificate services, then you can bind a publicly issued certificate (single domain or wildcard) to the ADC endpoint.
If you choose to take this approach the fully qualified domain name of the certificate must resolve to the IP address of the server on which the ADC is installed. This can be done via AD DNS services (preferred) or a public DNS server if there is no other option.
1.6 Bind the Certificate to the ADC
From the ADC Management App, select the Certificate Binding tab.
If the Selected Certificate drop down does not show any certificates, and you’ve just created one, then changing the “Only Load Valid Certificates” checkbox state will force a re-load of all certificates on the server that match the machine’s hostname.
Select the required certificate in the Selected Certificate drop down.
Unless you have any requirement not to do so, then leave the Bind to IP Address at 0.0.0.0 and click the Bind to Selected IP button.
The Bound Certificate and Bound To IP:Port boxes will update to show the new binding.
Related Articles
ADC Installation Requirements
Download our handy ADC checklist at the bottom of this page! The ADC is installed on a server within your network, it is not necessary, or recommended, for this server to be the domain controller. When supporting seamless SSO the ADC acts as a local, ...Load Balancing Multiple Active Directory Connectors
Load balancers distributes traffic across multiple servers and ADCs. The purpose is to provide a balanced service across its pool of servers and increasing resiliency. My1Login ADCs can be installed across multiple domain controllers in this pool of ...ADC Management
Starting/Stopping the ADC Service Navigate to the server where the ADC is hosted. Search for "ADC" and open the ADC UI. Check the status of the ADC - Running or Stopped - you can see this on the ADC service Control Tab Stop/Start service Performing ...EDS Requirements
Technical Requirements Microsoft Entra ID Entra App Registration with privileges to read the directory Define AU or group objects to be synchronised My1Login Username & Password for Service Account Server Windows VM running in Azure 2 vCPU and 8GB ...Finding EDS Configuration Values in Azure
To configure the EDS, you need 3 values: The Tenant ID of the Entra Directory The Client ID of the application The Client Secret of the application Finding the Values Open Azure and select correct directory Navigate to Microsoft Entra ID page Click ...