0

We are currently shipping a product to our customers that is server-client-based running on Windows server 2016 (server) and Windows 10 (clients). The server is installed on-premise in our customer's infrastructure. We are always installing the server in our customer's network for our customer, but it runs on the HW from our customer and is also officially operated by him. The clients are installed by our customer.

We are using certificates to secure the traffic between server and client. The customer can chose to use their own certificates or we create a self-signed certificate when we install the solution on site.

Many customers don't want to use their own certificates and use the self-signed certificates that we generate during installation of the server. When the customer needs to install a client they are installing the self-signed certificate of our server on the client machine. This way there is a trusted relationship and men-in-the-middle-attacks are avoided even though we use self-signed certificates and can't prove that we are in fact who we say we are.

The problem occurs when our self-signed certificates run out (this didn't happen yet as the service is quite new). How will we be able to update the certificates on the clients? If the certificate has already run out we will have the same problem again as in the beginning and our customer would need to "carry" the new certificate to all the installed client PCs. I'm thinking that there might be an establishes mechanism to push the new certificate to all clients while the certificate is still valid.

  1. Is this a real problem or do I have an error in my assumptions?
  2. If yes, how can we solve this in the most elegant way without much manual efforts?

Thanks in advance for your help!

Juergen

Juergen
  • 21
  • 1

1 Answers1

2

Distribute the self-signed certificate via Active Directory. This is largely a solved problem and Microsoft even offers a guide on how to do it.

Here is an excerpt from the guide:

To distribute certificates to client computers by using Group Policy

  1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
  2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
  3. Right-click the GPO, and then click Edit.
  4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
  5. On the Welcome to the Certificate Import Wizard page, click Next.
  6. On the File to Import page, type the path to the appropriate certificate files (for example, \fs1\c$\fs1.cer), and then click Next.
  7. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
  9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.

Furthermore, unless a contract specifies otherwise, how to distribute certificates between servers an clients should be the clients problem, as long as your server software offers a reasonably easy or standard way of exporting the certificate in a common format.