Question

A client is saying their certificate authority doesn't support adding the local domain as a SAN to their certificate.

Directory Server

Updated November 2, 2023

asked on October 20, 2023

Per the online documentation, if the server domain is .local and their certificate is .gov, it's advised to add the *.local as a Subject Alternative Name (SAN) to ensure everything with TLS and SSO works smoothly. This client uses digicert who says that has not been supported since 2015. What options do we have to remedy the fact that we are getting errors when we check Use TLS in the STS Endpoint utility? Link to digicert documentation below.

https://www.digicert.com/kb/advisories/internal-names.htm

4 0

Replies

replied on October 20, 2023 • Show version history

It mentions this in the article you linked to "If you are a server admin using internal names, you need to either reconfigure those servers to use a public name, or switch to a certificate issued by an internal CA..."
Active Directory Certificate Services

You could technically use self-signed certs as well, but you lose a lot of the reason you use SSL certs at that point. You would also have to push that certificate out to all of the machines that would be hitting it so they trust it and don't throw an error in the users browser.

2 0

replied on October 23, 2023

Blake is right. For further info we typically recommend the use of Split Brain DNS so you can resolve external names to internal IPs or else utilize router configuration to loopback those requests to external names. This is all IT configuration and they often have their own preferences on how to accomplish this.

Use DNS Policy for Split-Brain DNS Deployment | Microsoft Learn

1 0

replied on November 2, 2023

Thanks to you both. From doing more research, this is not just a Digicert limitation of not adding local domain to the cert as a SAN, it's universal. Is there a way we could get the Laserfiche documentation updated to reflect that the ask is not able to be accommodated any longer?

https://cabforum.org/internal-names/

0 0

View 4 previous replies

replied on November 2, 2023

Do you have a link to where it states that in the online documentation?

0 0

replied on November 2, 2023

https://go.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFDS/Content/CertRequirements.htm%3FTocPath%3DDirectory%2520Server%7CTroubleshooting%7C_____1

0 0

replied on November 2, 2023

Your screenshot is correct though. Not all domains are non-public. If an organization has a domain such as blakesmith.com, I would be able to get an SSL certificate from a 3rd party CA for that domain.

0 0

replied on November 2, 2023

If your internal domain is blakesmith.com and that's also the external FQDN, you wouldn't add it twice to SAN, so to me asking to add the internal and external FQDN implies they are different, as in my .local and .gov example.

I know prior to 2015, it was something you could get, and it no longer is, so it feels like we're being asked to get an impossible certificate.

0 0

replied on November 2, 2023

So if my domain is blakesmith.com, my external FQDN would probably be something like laserfiche.blakesmith.com, but the internal FQDN would be server01.blakesmith.com.

0 0

replied on November 2, 2023

What would be really useful is more information regarding how to do it for the specific scenario you are referring to, especially in the cases of a DMZ.

0 0

replied on November 2, 2023

That's true. I guess I'm just looking for some additional notation in the documentation as I've had a number of client IT state after reading this, that their Certificate Authority cannot add the local FQDN to the certificate issues to the public FQDN. (specifically in a .local internal and something else external)

It's a fairly regular occurrence for us to see that setup.

1 0

You are not allowed to follow up in this post.

Question

Question

A client is saying their certificate authority doesn't support adding the local domain as a SAN to their certificate.

Replies

Sign in to reply to this post.