• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 81
  • Last Modified:

Internal use Extended Validation Certificates

I would like to deploy certificates to my internal servers that bear Extended Validation. Through domain policy, I am able to push my own root certificates to the Trusted Root Certification Authority store in the PCs that I manage.  In doing so, the certificates signed by my private key appear to be valid and trusted to my internal users when viewing my internal servers.

Obviously, my root certificate is not going to be included in standard browser installations, so your average web user is not going to trust my certificates.  They don't have access to my internal network, so they have no reason to anyway.

Still, what I'm wondering.. with my root certificate imported into the browsers TRCA store, is it possible for me to sign certificates bearing the necessary attributes to make them appear to the user as an Extended Validation Certificate?  I typically use the OpenSSL commands to generate my keys, CSRs and certificates.  How might I go about this?
Erik Schminke
Erik Schminke
1 Solution
You can do this using a Microsoft internal CA and GPO's that add your internal EV OID into the list of OID's trusted by IE for EV certificate issuance. See the blog post here from Microsoft AD DS team. IE (at the time the article was published) supports this but I the article is almost a decade old now. Other browsers to the best of my knowledge will not support your EV cert in displaying a green bar. Firefox doesn't use the Windows certificate store and maintains its own hard coded list of OID's in its certificate store. Chrome uses the Windows certificate store but has a hard coded list of OID's trusted for EV cert issuance (see here).

So I would say no it will not be possible unless you want to move away from using OpenSSL and standardising IE as your corporate browser. Maybe someone else has done this, if they have I would be interested to know how.
Erik SchminkeAIX/Linux Systems AdministratorAuthor Commented:
Thank Learnctx..  Looks like at the heart of the matter is, browsers are coded to trust a specific list, hard coded into the binary, and there is nothing inherent about the certificate; which is what I was looking to have answered.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now