You will be creating a certificate on your Domain Controller and binding it to the ADC endpoint.
Most modern browsers will complain if a certificate uses the default SHA1 hashing algorithm.
The following steps will configure your server to generate certificates using SHA256 hashing. Or you can create a copy of the Web Server template and configure it appropriately.
1. Open an elevated (run as administrator) command prompt.
2. Run the following commands:
net stop certsvc
net start certsvc
This section shows one method for creating a suitable certificate. You can use any method you are familiar with, provided the Subject Name and SAN match the pattern described here.
The following diagram illustrates the settings used in this document: the server hostname will be “adc-server”, domain is “dev.my1login” and the ADC will be assumed to be on its default port of 47810.
The certificate’s subject must match the FQDN of the ADC Server, in this case
The certificate must also have a valid SAN (Subject Alternative Name) otherwise Chrome version 58 or later will report a security exception.
This assumes that you have installed the AD Certificate Services on the domain controller and that you've generated a root CA for the domain.
This process should be carried out on the ADC server and will result in the certificate being generated an installed on the server.
The screen shots in this section show the configuration for the above example.
You will now
configure the Web Server template.
If you can see the Web Server template:
We have found that the following settings work with Chrome’s
· In the Alternative Name area, select the Type as DNS and also enter the same FQDN of the ADC server.
· Click the Add > buttons beside each area.
· Click Ok
· Ensuring that the Web Server tick box is checked, click on Enroll.
You should now see the certificate in the snap-in.
If you do not have AD Certificate services, then you can bind a publicly issued certificate (single domain or wildcard) to the ADC endpoint.
If you choose to take this approach the fully qualified domain name of the certificate must resolve to the IP address of the server on which the ADC is installed. This can be done via AD DNS services (preferred) or a public DNS server if there is no other option.
From the ADC Management App, select the Certificate Binding tab.
If the Selected Certificate drop down does not show any certificates, and you’ve just created one, then changing the “Only Load Valid Certificates” checkbox state will force a re-load of all certificates on the server that match the machine’s hostname.
Select the required certificate in the Selected Certificate drop down.
Unless you have any requirement not to do so, then leave the Bind to IP Address at 0.0.0.0 and click the Bind to Selected IP button.
The Bound Certificate and Bound To IP:Port boxes will update to show the new binding.