April 09, 2009

Domain-Proof Certificates for Microsoft Services Connector (MSC)

The Microsoft Services Connector (MSC) Team have received quite a few queries during the Tech Preview period about the way that MSC uses certificates for proof of domain ownership, so for future refer-ability I thought I would try to answer them here publicly.

Question: "What is the reasoning behind the list of CA's supported?"

There are a few principles that we are working to around domain-proof certificates (DPC's) for MSC

  1. MSC aims to support any root CA (certificate authority) in the Microsoft Root Certificate Program that supports both client and server authentication EKU capabilities.
  2. MSC does not advocate or promote any particular certificate product or vendor over any other.
    We do however recommend the use of Extended Validation (EV) certificates where ever possible.
  3. The MSC Team have tested against a number of specific _certificate products_ from several major vendors, and those are listed in the MSC Admin Guide docs.
  4. Whether or not the MSC Team have tested against a specific vendor's certificate product yet should not be taken as either an endorsement or rejection of either the vendor or the product - it is just that we don't have infinite resources so we have only been able to test a few certificate products so far.
  5. Due to IIS configuration requirements, we need to have pre-installed on our servers all intermediate certificates linking from the root through to the domain proof cert (DPC) being used for the mutual auth SSL connection before the request can even reach our server code.
  6. From our testing, we know we have all the necessary intermediate certs configured on our servers for the cert products we have tested in #3 above.
  7. However, we may not have all the necessary intermediate certificates in the chain already installed and configured for an other arbitrary certificate though -- If you send us details including the public certificate data and CA chain from another vendor then we may need to configure some missing intermediate certificates on our side.
  8. MSC will support the use of wild card (*.domain.com) certificates in the upcoming MSC Beta release, although the CTP version of MSC launched at PDC-2008 did not support that functionality.

Hope this helps to clarify the situation around MSC certificates.

Entry categories: Cloud Services
Posted by Jorgen Thelin at April 9, 2009 09:16 PM - [PermaLink]