ksfrist
asked on
Question Regarding multi Standard SSL Certs verses Wildcard Cert - Microsoft AD CA related.
I"ll apologize up front for any ignorance on this topic, as I've been scouring Microsoft KB articles and trying to understand better.
Through GoDaddy, our Org has purchased 2 standard SSL Certificates for our multi ISP VPN connections and one wildcard SSL Certificate for a specific application server located internally to our domain but public facing.
We also need to pick up an SSL Cert for use for Radius authentication for our wireless, and I'm trying to determine if I just need to purchase yet another standard SSL Certificate or another Wildcard Certificate and try to consolidate everything to get it on the same renewal cycle.
We use an internal Microsoft AD CA for our current Radius authentication with a self signed Cert, so my assumption would be if I consolidated under a blanket Wildcard Cert it would need to be housed there.
We're going to a GoDaddy Cert for Radius authentication because of the Android 11 update.
We also have the question of other internal resources that use an https connection and how to secure those. Nothing public facing, all internal DNS, such as ds01.tigers.org or vc01.tigers.org that point to our datastores and vCenter. Would I need to add those DNS entries to the original CSR for the wildcard cert?
I'm pretty sure we'll stick with GoDaddy as that's what the purchasing/director is comfortable with, although other recommendations are welcome.
I hope this question makes sense or it may be 2 different questions. I so appreciate any guidance or a smack over the head.
Through GoDaddy, our Org has purchased 2 standard SSL Certificates for our multi ISP VPN connections and one wildcard SSL Certificate for a specific application server located internally to our domain but public facing.
We also need to pick up an SSL Cert for use for Radius authentication for our wireless, and I'm trying to determine if I just need to purchase yet another standard SSL Certificate or another Wildcard Certificate and try to consolidate everything to get it on the same renewal cycle.
We use an internal Microsoft AD CA for our current Radius authentication with a self signed Cert, so my assumption would be if I consolidated under a blanket Wildcard Cert it would need to be housed there.
We're going to a GoDaddy Cert for Radius authentication because of the Android 11 update.
We also have the question of other internal resources that use an https connection and how to secure those. Nothing public facing, all internal DNS, such as ds01.tigers.org or vc01.tigers.org that point to our datastores and vCenter. Would I need to add those DNS entries to the original CSR for the wildcard cert?
I'm pretty sure we'll stick with GoDaddy as that's what the purchasing/director is comfortable with, although other recommendations are welcome.
I hope this question makes sense or it may be 2 different questions. I so appreciate any guidance or a smack over the head.
A wildcard cert works for all hosts on the domain. You don't need to specify them in advance in the CSR. There are some services that do not work with wildcard certs. They include Exchange and AD LDAPS. You should be able to use your existing wildcard cert with NPS for your wireless authentication.
ASKER
Thanks for the quick response. Our existing wildcard cert is installed on a Linux install for our MDM application. We had to purchase it for that specific instance and as my other Sys Admin states, "let's pretend that doesn't exist".
If I'm understanding you correctly, if I purchase a Wildcard cert and install it on our AD CA Server it would encompass all the internal hosts and Radius authentication?
I appreciate it.
If I'm understanding you correctly, if I purchase a Wildcard cert and install it on our AD CA Server it would encompass all the internal hosts and Radius authentication?
I appreciate it.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Understood. Our CA and NPS Servers are the same VM. I should have mentioned that part.. Thanks so much.
CA should NOT be on a DC. NPS works well on DC, but can be separate.
ASKER
It's certainly been a part of the confusion. Thanks so much for the recommendation.