STS must be authorized by the same issuer that issued the certificate used by Directory Server

SELECTED ANSWER

replied on October 3, 2019

Yes, the certificate used by the internal LFDS and the certificate used by the DMZ STS must both be issued by a common certificate authority.

0 0

View 4 previous replies

replied on October 3, 2019

So this also ties into my other question you replied on. Can an internal CA create an SSL certificate for a server in a DMZ if it is not a member of the domain?

0 0

replied on October 3, 2019

Indeed it can. All that needs to be done is ensure the certificate CN matches the DMZ machine and ensure that the DMZ machine trusts the root CA or a CA in the trust chain. It's my understanding that the only time communication between the DMZ machine and the internal CA matters is for CRLs

1 0

replied on October 3, 2019

That is good to know. So on top of that, since the DMZ STS needs to verify the internal STS's certificate, do you know how we can do that since it's not on the domain?

0 0

replied on October 3, 2019

Basically what happens is this: DMZ STS trusts "ExampleCA" (a copy of the CA cert is kept in its trusted root store). When it sees the internal LFDS's certificate was issued by "ExampleCA", it knows that machine is to be trusted. The same happens the other way around. Domains won't come into play here.

1 0

replied on October 4, 2019

So the CA's root certificate needs to be exported and imported into the DMZ's trusted root store, correct?

0 0

replied on October 4, 2019

Yes, that's correct. It doesn't necessarily have to be the root certificate, it could be an intermediate certificate as well.

1 0

replied on October 4, 2019

This has been extremely helpful Chase. Thank you for your time.

1 0

Question

Question

STS must be authorized by the same issuer that issued the certificate used by Directory Server

Answer

Replies

Sign in to reply to this post.