The Windows CA is also able to issue Extended Validation certificates so that the smart green bar is displayed in Internet Explorer. The whole thing is even surprisingly simple:
To issue an Extended Validation (EV) certificate, a new template can be created or an existing one can be modified, I create a new template by duplicating the "Webserver" template
The suggested settings on the "Compatibility" tab are OK
I call my template "Exchange Server EV" and set a validity of 5 years, but everyone can do that as they wish
I would like to create a SAN/UC certificate, so check the box "Symmetric.... authorized by the applicant" and if the certificate is to be exported, check the box "Allow export of private keys"
On the "Security" tab, the "Exchange Servers" group is given full access
On the "Extensions" tab, select the "Exhibition guidelines" item and click on "Edit".
There is currently no guideline, so click on "Add"
Click on "New" in the dialog
Now assign a name for the new policy and specify a path for the certificate declaration (it does not necessarily have to exist), now copy the object identifier (OID)
The new policy is now visible, the window can be closed with "OK"
The certificate template is ready
Finally, publish the new template
The template has now been published
Now the root certification authority certificate must be distributed together with the OID from before, so create a new GPO and import the root certification authority certificate
As soon as the certificate has been imported, right-click on the entry and select the "Extended verification" tab; the OID can now be entered here
Now just link the GPO and you're done. For computers that are not members of the domain, the OID and the certificate must be added manually. To do this, open an MMC with the Certificates snap-in. Import the root certification authority certificate.
Now right-click on the certificate -> Properties, the OID can be added on the "Extended verification" tab.
Now the Exchange server only needs to be provided with a new certificate, which is issued using the new template. As soon as the certificate is assigned to the services, the bar in Internet Explorer for the "Extended check" turns green
Yes, I admit it, this is a gimmick...
Nette Spielerei – meines Erachtens aber überflüssig für die eigene CA.
Extended Validation bedeutet ja nun mal „Erweiterte Validierung“ – also dass von einer möglichst unabhängigen Stelle die Identität des Antragstellers geprüft und dann ins SSL-Zertifikat aufgenommen wird.
Ist auch jetzt nicht mehr so teuer wie früher – z.B. hier ab EUR 119/Jahr:
https://www.sslpoint.com/de/ssl-zertifikate/geotrust/erweiterte-validierung/
Wenn man also eine grüne Adressleiste (z.B. für einen Webshop) haben will, wird man die paar Euro investieren müssen….
Hallo,
geht das auch irgendwie für die anderen Browser (Firefox/Chrome)?