0

I have written some (intranet) web applications for a small customer of mine (< 50 employees) who have now incorporated a cloud Citrix server into their network for remote access. They still have physical PCs as well. The cloud-based Citrix VDIs are peers on their on-premise network and can see the web server there.

Before the company got the Citrix cloud solution, I had been creating a self-signed SSL certificate (not backed by any CA) on the server hosting IIS and then asking the system administrator to import it into Trusted Certificate Authorities store on the physical PCs which were running Windows 10.

I'd like to know if the system administrator is able to create an SSL certificate from their Active Directory console on the network, which would be backed by a CA, so that it could be imported into IIS with the private key, and then bound to the website for https, with the Citrix VDIs simply recognizing the CA, via their tie-in to AD, and without the SSL certificate (sans private key) having to be imported into the Citrix VDIs.

Is there a way to eliminate that final step, which is required now when using the self-signed certificate? If this is possible, is there a how-to somewhere to which I could refer the system administrator, who is a novice promoted from within the company into a position for which they have not received any formal training?

Tim
  • 203
  • 1
  • 4
  • 11
  • The core idea of PKI is that for certificate to be recognized you need to trust it, either explicitly by direct import (as you do with CA certificates and self-signed certificates) or implicitly by the means of other, already trusted certificate (for which you import the CA's certificate). Also notice that you normally don't import a private key; ideally it should be generated and stored securely on the target system and never leave it. You generate the private key and the CSR, provide latter to the CA, and CA replies with signed certificate which you import back. – Nikita Kipriyanov Aug 01 '23 at 15:56
  • 1
    This is actually a good case for not using self signed certificates. They are frowned upon in many other areas, resulting in situations such as this. Compliance is another area where surprises such as this would be discovered. – Greg Askew Aug 01 '23 at 16:15
  • @NikitaKipriyanov The certificate-with-private-key never left the server on which it was generated. It was imported into IIS, and then the certificate was exported without the private key. – Tim Aug 01 '23 at 17:07
  • IIS has to be able to import a certificate (with private key) in order to bind the website to it for https support. It is my understanding that if the server is an intranet server and is not public facing, we cannot purchase a certificate for it from a place like DigiCert. Am I mistaken about that? – Tim Aug 01 '23 at 17:09
  • You don't need to have a publicly recognized certificate. Use AD Certificate Services to build your own CA, to sign your internal certificates. You can distribute this CA root certificate (self signed) throughout the domain using policies, so you don't need to provision it by hand to each computer; enough to join it to the domain. Any computer which is provisioned with the CA root certificate (domain member or where certificate is installed by hand) will trust your CA and, therefore, recognize all certificates signed with it. This is just basic idea; read MS documentation for further details. – Nikita Kipriyanov Aug 01 '23 at 17:27
  • @NikitaKipriyanov Thank you for confirming that that is possible. I am not the systems administrator, as I mentioned, but a software developer. I need to get the actual systems administrator (or better yet, the company's external support team) to do that in such a way that the certificate can be imported into IIS. – Tim Aug 01 '23 at 17:47
  • With AD CS, you don't be in the need to do that by hand. It is well integrated. If you need to generate a certificate for a domain-joined IIS server, there is literally a few clicks and it's done. You mentioned Citrix who suggest different kind of products, and into some of them you'll need to import manually. – Nikita Kipriyanov Aug 01 '23 at 17:58
  • `It is my understanding that if the server is an intranet server and is not public facing, we cannot purchase a certificate for it from a place like DigiCert. Am I mistaken about that?` That is not accurate. You can purchase a certificate for any name that is public and registered to you. The physical location internal/external is irrelevant. For snowflake names like `servername.local`, some authorities may have private CAs. But as stated the infrastructure to issue certificates is included with all platforms. – Greg Askew Aug 02 '23 at 10:36
  • @GregAskew The issue is complicated here (for me) by the fact that Citrix cloud desktops are accessing the intranet web server as peers on the local LAN. Whatever is done has to be compatible with them. I am not in a position to generate those certs myself, but now that I know it is possible, I can advocate that the company get the outside network management team to do it. – Tim Aug 02 '23 at 11:53

0 Answers0