DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Introduction

When preparing a DirectAccess server, an SSL certificate is required for the IP-HTTPS IPv6 transition technology. This certificate is often issued by a public Certification Authority (CA), but it can also be issued an organization’s internal Public Key Infrastructure (PKI).

SSL Certificate

Commonly an SSL certificate is issued for a single hostname, or subject. As long as the hostname matches the subject, everything works fine.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Multi-SAN SSL Certificate

To ease the management burden of using multiple certificates, or reduce the expense associated with using a wildcard certificate, organizations can request a multi-SAN (Subject Alternative Name) certificate, which matches more than one subject. The additional subjects are included in the Subject Alternative Name field on the SSL certificate.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS
A single multi-SAN certificate can be installed on multiple hosts and will work without issue as long as the hostname matches one of the SAN entries.

DirectAccess and Multi-SAN Certificates

When implementing DirectAccess in a multisite configuration, each entry point in the organization will have a unique public hostname. Instinctively, using a multi-SAN SSL certificate in this scenario would seem ideal.

Unfortunately, support for multi-SAN SSL certificates with DirectAccess is limited. To use a multi-SAN certificate for DirectAccess IP-HTTPS, the public hostname must match the name listed in the Subject field. In the example above, the subject is da.richardhicks.net, with SAN entries for da-west.richardhicks.net and da-east.richardhicks.net.

In this scenario, only the public name da.richardhicks.net is supported for use with DirectAccess. It will not work for any of the SAN entries. For example, attempting to configure DirectAccess to use this certificate with the public hostname da-west.richardhicks.net will fail with the following error message.

The subject name of certificate CN=[certificate subject name] is invalid.
Select a certificate with a valid subject name.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Attempting to work around this issue by using the Set-DAServer PowerShell cmdlet also fails to recognize the SSL certificate correctly.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Summary

Using a multi-SAN SSL certificate for the DirectAccess IP-HTTPS IPv6 transition technology is only supported when the public hostname matches the subject name of the certificate. Configuring DirectAccess with a public hostname listed in the SAN list is not supported. For multisite DirectAccess deployments, individual certificates must be issued for each entry point. Alternatively, a wildcard certificate can be used.

9 Comments
by Richard M. Hicks on March 28, 2016  •  Permalink
Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, SSL and TLS, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 28, 2016

https://directaccess.richardhicks.com/2016/03/28/directaccess-and-multi-san-ssl-certificates-for-ip-https/

Previous Post
Next Post
Leave a comment

9 Comments

  1. Eric

     /  September 9, 2016

    We are in a clustered DA env with external LB’s. When trying to added a thawte SSL cert into the cluster for IP-HTTPS it comes back and says it wants a Self signed cert. My question to you is can we use an SSL from a third party in a cluster NLB?

    Reply

    • Richard M. Hicks

       /  September 12, 2016

      That’s unusual. An SSL certificate issued by a trusted third party is recommended and should definitely work. I’m puzzled as to why it would insist on a self-signed certificate. Can you reach out to me via email directly so we can dig in a little deeper?

      Reply

  2. Rance

     /  January 9, 2020

    @Richard
    Hoping you can help please? Chicken and egg scenario.
    We have a new certificate authority, changing the DA configuration to use the new root and intermate certificates, changes the DA GPO
    Without the new GPO settings DA doesn’t connect and clients can not get new settings unless in the office on the LAN
    Can DA support TWO certificate authority’s?
    So, users don’t have to come into the office.
    Thank you in advance

    Reply

    • Richard M. Hicks

       /  January 9, 2020

      Oh yes, changing the root CA for DirectAccess can be challenging. It is possible to make this transition seamlessly without impact to clients using some custom configuration. If you’ll reach out to me directly I’ll be happy to provide you with some documentation for it.

      Reply

      • Johan Selmosson

         /  August 21, 2023

        Hi

        I´m facing exactly this scenario for two of our customers. Their CA-certificate and CA-servers are due for renewal and we consider just telling all users that after the cutover date they will not be able to connect to Direct Access again until they come in and connect to an internal network to retrieve the new configuration. If there is a workaround I would really appreciate if you could share some info about it. It would be nice to do this transition without causing problems for the end users.

        Take care!

      • Richard M. Hicks

         /  August 21, 2023

        There is a workaround, but it’s complex and doesn’t always work as expected. Reach out to me directly and I’ll provide you with more details.

  1. DirectAccess Expired IP-HTTPS Certificate and Error 0x800b0101 | Richard Hicks' DirectAccess Blog
  2. DirectAccess IP-HTTPS Error 0x2af9 | Richard Hicks' DirectAccess Blog
  3. SSL Certificate Considerations for DirectAccess IP-HTTPS | Richard M. Hicks Consulting, Inc.

Leave a Reply to RanceCancel reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading