For many years I've been using client certificates for authentication on some of my sites. I have been using the free certificates from StartCom in Israel. They went out of business in 2018 and my latest certificates will expire in October 2019. A few days ago using them to authenticate against my sites stopped working. These sites are hosted on a Windows 2016 server and I assume Microsoft finally stopped supporting StartCom.
So I had to come up with a new provider for these certificates, I looked around in the past but didn't find any free and trustworthy source.
For many years I have been using my own Certificate Authority (CA) to issue some TSL/SSL Server certs for internal use. So I always had my own CA on a Windows Server VM. But I never got around using it for client certificates.
This is on a standalone server, not in a domain. I also never installed the web interface to it, but just used a PowerShell script to request certificates to be signed.
I also had the problem that using them would require the CRL Distribution Points to be available all the time. CRL stands for Certificate Revocation List. When a certificate is used, the server or client may check the CRL distribution points which are embedded in the cert for their validity. The certificate should not appear on the CRL. My CA VM was not always on and was not on a public network, so the CRL could not be access by an external process and therefor the certificate could not be validated.
But because I now had a real need for new working client certificates I solved these issues.
- I updated my scripts to create and sign a cert to work for client certificates as well.
- I increased the lifetime of my own certificates to ten years.
- In the CA I added a new CRL distribution point to point to a publicly available URL to which I copied the CRL of my own CA
- I installed the root certificate of my CA into all affected Windows machines and mobile devices as a new trusted root certificate authority.
Now I can use my own certificates, the CRL for them is accessible and I don't have to worry anymore for another 10 years.
The next part of this post will describe these steps in more detail.