0

Most guides for deploying SSTP on RRAS recommend setting up a private CA using AD CS, with all the necessary steps that come with that to issue a server authentication certificate and have it trusted by the clients.

From what I've read, it's also perfectly possible to set up SSTP using a publicly signed certificate. To my mind, if you don't already have a CA and don't have other requirements that necessitate deploying your own CA, then going to the effort of deploying and maintaining one for something so basic seems like overkill. Certificates can be obtained so cheaply these days, and clients will automatically trust the certificate, regardless of whether they're domain joined. Other advantages come to mind that I won't list here.

Is there a factor that I'm missing here that explains why most guides choose to go down the route of deploying AD CS even for the most basic setup, or is my thinking pretty sound?

dbr
  • 1,812
  • 3
  • 22
  • 37

1 Answers1

1

You need a CA for client authentication. You must trust only client certificates signed by your CA.

If you do not plan to use client certificates for authentication, then you do not need a private CA.

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
  • This is exactly what I thought, which makes me wonder - why do the MS guides take you through setting up a private CA just for a basic scenario with server authentication only? Perhaps it's just because you then have the infrastructure in place to implement client authentication at a later stage? Or the guide doesn't want to depend on elements that cost money or aren't "in the box"? It sounds like it's actually preferable to use a public cert for a simple setup and I haven't overlooked anything. – dbr Oct 09 '15 at 00:02