Certificate Requirements
Applies to: Advanced and Patch Insights
Advanced Insights needs a valid SSL certificate to install and function. (the installer will verify the certificate is valid).
Supported Certificate types:
Server host (FQDN) standard certificate.
Wildcard certificate.
Custom CNAME / Alias certificate.
Self-signed certificate.
The certificate must meet the following minimum requirements:
Support HTTPS / SSL.
Has private key.
Valid in-date (not expired).
Enhanced key usage includes "Server Authentication".
Only modern signature types are supported (e.g. SHA256). Legacy / weak signature algorithms, for example; 'SHA1', 'MD2', 'MD4', 'MD5 are not supported.
Subject Alternative Name (SAN). The certificate SAN requirements depend on the chosen deployment configuration for the Advanced Insights URL.
Scenario 1 - Server Host name certificate.
For Advanced Insights URL deployment using server host name (e.g. https://server01.contoso.local) the certificate SAN must contain an entry which matches the FQDN of the host server where Advanced Insights is installed.
Scenario 2 - Wildcard certificate.
For Advanced Insights URL deployment using a wildcard certificate, an entry must be included in the certificate SAN that represents the wildcard certificate. e.g. ' *contoso.local'.
Scenario 3 - CNAME / Alias certificate.
For Advanced Insights URL deployment using a CNAME / Alias, (e.g. https://AdvancedInsights.contoso.local) the certificate SAN must contain an entry which represents the CNAME / Alias. e.g. 'AdvancedInsights.contoso.local'.
When using a CNAME / Alias or Wilcard certificate for custom Advanced Insights deployment URL, ensure that DNS has been updated to include an entry which represents the chosen CNAME / Alias.
Example:
Certificate SAN values can be also verified within the certificate properties.
Examples:
On the Windows Server OS which will host Advanced Insights, the following PowerShell script can be executed to list supported certificates.
Example PowerShell outputs:
Self-signed certificate use.
When deploying Advanced Insights using a self-signed certificate, the installer will automatically create the certificate using the server host name value to create the Advanced Insights URL.
Example:
https://server01.contoso.local
We don't recommend using a self-signed certificate long-term in production as it won't be trusted by other client browsers by default. You can replace a self-signed certificate or modify the certificate in use using the Add/Remove Programs "Change" option as detailed here.
Last updated