8

I'm using AD-Certificate Services to issue computer certificates to domain joined Windows computers(both servers and workstations). These certs are obtained via the auto-enroll process defined by Active Directory.

My question is: if these computer certs have the correct OID details is there any reason to not use them for https bindings on servers running IIS? All systems accessing these web servers are internal and will trust the ADCS PKI.

Edit: To be clear, I'm asking specifically about using the computer cert issued as a part of domain membership.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
aaron
  • 81
  • 4
  • 1
    Is there a reason you want to use this certificate, instead of using the default certificate template provided in ADCS for web servers? – HopelessN00b Mar 26 '18 at 20:29
  • 1
    ...I guess, now that I think of it, some details on what certificate type (like which template is it using, and what's configured on it) is being issued in your domain to domain-joined machines would be helpful. – HopelessN00b Mar 26 '18 at 20:44
  • 1
    because this cert is auto renewed as part of the computers AD membership. as long as the server stays in the Domain no manual intervention is needed to renew it. – aaron Mar 26 '18 at 20:45
  • 1
    ...you can setup auto-enrollment rules for whatever certs you want, including those issued by a customized Web Server template... – HopelessN00b Mar 26 '18 at 20:46

2 Answers2

8

There's no issue with running local certificates at all. Many enterprises use an internal CA such as AD-Certificate Services to manage and automate the creation of certificates for their servers. It's just as secure as a public CA as long as you distribute the certificates out to your clients and keep the private keys secured and private.

belac9615
  • 81
  • 2
  • 1
    to be clear i'm asking specifically about using the computer cert issued as a part of domain membership. I'm aware certs from an internal CA can be used as long as the clients trust the issuers. – aaron Mar 26 '18 at 20:16
5

is there any reason to not use them for https bindings on servers running IIS?

Nope.

Where the cert comes from is irrelevant as long as it's trusted and has the appropriate x509 extensions for what you intend to use it for.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64