Internal use Extended Validation Certificates

I would like to deploy certificates to my internal servers that bear Extended Validation. Through domain policy, I am able to push my own root certificates to the Trusted Root Certification Authority store in the PCs that I manage.  In doing so, the certificates signed by my private key appear to be valid and trusted to my internal users when viewing my internal servers.

Obviously, my root certificate is not going to be included in standard browser installations, so your average web user is not going to trust my certificates.  They don't have access to my internal network, so they have no reason to anyway.

Still, what I'm wondering.. with my root certificate imported into the browsers TRCA store, is it possible for me to sign certificates bearing the necessary attributes to make them appear to the user as an Extended Validation Certificate?  I typically use the OpenSSL commands to generate my keys, CSRs and certificates.  How might I go about this?
Erik SchminkeAIX/Linux Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can do this using a Microsoft internal CA and GPO's that add your internal EV OID into the list of OID's trusted by IE for EV certificate issuance. See the blog post here from Microsoft AD DS team. IE (at the time the article was published) supports this but I the article is almost a decade old now. Other browsers to the best of my knowledge will not support your EV cert in displaying a green bar. Firefox doesn't use the Windows certificate store and maintains its own hard coded list of OID's in its certificate store. Chrome uses the Windows certificate store but has a hard coded list of OID's trusted for EV cert issuance (see here).

So I would say no it will not be possible unless you want to move away from using OpenSSL and standardising IE as your corporate browser. Maybe someone else has done this, if they have I would be interested to know how.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Erik SchminkeAIX/Linux Systems AdministratorAuthor Commented:
Thank Learnctx..  Looks like at the heart of the matter is, browsers are coded to trust a specific list, hard coded into the binary, and there is nothing inherent about the certificate; which is what I was looking to have answered.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.