Direct Access Certificates

Question

I want to know if I can use a single certificate for all the direct access functionality.

I am working at actually setting up DirectAccess on a relatively small network. Since this is a small network I am trying to find the minimum configuration necessary.

In a test environment I performed a quick install with the wizard for Direct Access letting it automatically generate self-signed certificates and the result was three certificates.

• CN = DirectAccess.example.org

  • Friendly Name: DirectAccess-IPHTTPS
  • Purposes: Server Authentication

• CN = CN = DirectAccess-NLS.example.org

  • Friendly Name: DirectAccess-NLS
  • Purposes: Server Authentication

• CN = DirectAccess-RADIUS-Encrypt-servername.example.org

  • Friendly Name: Certificate issued by Remote Access for RADIUS shared secrets
  • Purposes: All

So to restate my question, do I really need 3 separate certificates here? Can I do this with a single certificate and Subject Alternative Names? From the descriptions I read the NLS and IPHTTPS certs are both used for HTTPS, which seem like they should support alt names.

Answer 1

I have had this work using a wildcard cert with a different wildcard SAN because the internal name of my servers were different than external DNS.

So, in the case mentioned above, the cert would be *.example.org possibly with a SAN of *.example.local to be true to the internal name of the server as well if it is different than your external DNS name.

If you go the wildcard route, please simply know that it is considered less secure than listing exact FQDN's. In situations where you have compliance standards to adhere to, it may not be considered the most secure way to go.