Getting Started
Search
K

Certificate Requirements

Advanced Insights needs a valid SSL certificate to install and function. (the installer will verify the certificate is valid).
Supported Certificate types:
  • Server host (FQDN) standard certificate.
  • Wildcard certificate.
  • Custom CNAME / Alias certificate.
  • Self-signed certificate.
The certificate must meet the following minimum requirements:
  • Support HTTPS / SSL.
  • Has private key.
  • Valid in-date (not expired).
  • Enhanced key usage includes "Server Authentication".
  • Only modern signature types are supported (e.g. SHA256). Legacy / weak signature algorithms, for example; 'SHA1', 'MD2', 'MD4', 'MD5 are not supported.
  • Subject Alternative Name (SAN). The certificate SAN requirements depend on the chosen deployment configuration for the Advanced Insights URL.
    • Scenario 1 - Server Host name certificate.
      • For Advanced Insights URL deployment using server host name (e.g. https://server01.contoso.local) the certificate SAN must contain an entry which matches the FQDN of the host server where Advanced Insights is installed.
    • Scenario 2 - Wildcard certificate.
      • For Advanced Insights URL deployment using a wildcard certificate, an entry must be included in the certificate SAN that represents the wildcard certificate. e.g. ' *contoso.local'.
    • Scenario 3 - CNAME / Alias certificate.
      • For Advanced Insights URL deployment using a CNAME / Alias, (e.g. https://AdvancedInsights.contoso.local) the certificate SAN must contain an entry which represents the CNAME / Alias. e.g. 'AdvancedInsights.contoso.local'.
When using a CNAME / Alias or Wilcard certificate for custom Advanced Insights deployment URL, ensure that DNS has been updated to include an entry which represents the chosen CNAME / Alias.
Example:
Certificate SAN values can be also verified within the certificate properties.
Examples:
Server Host Certificate - Subject Alternative Name (SAN) properties.
CNAME - Alias Certificate - Subject Alternative Name (SAN) properties.
Wildcard Host Certificate - Subject Alternative Name (SAN) properties.
On the Windows Server OS which will host Advanced Insights, the following PowerShell script can be executed to list supported certificates.
1
# Advanced Insights valid certificate check.
2
Param()
3
4
$CertsToExclude = @("ConfigMgr SQL Server Identification Certificate","WMSVC-SHA2")
5
6
# Get the FQDN of the machine
7
$machineFQDN = [System.Net.Dns]::GetHostEntry($env:COMPUTERNAME).HostName
8
9
# Certificate filtering
10
11
# Algorithms to exclude
12
$Weakhash = @('SHA1', 'SHA1RSA', 'MD2', 'MD4', 'MD5')
13
14
$certs = Get-ChildItem -Path Cert:\LocalMachine\My |
15
Where-Object {
16
($_.SignatureAlgorithm.FriendlyName -notin $Weakhash) -and
17
($_.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq "1.3.6.1.5.5.7.3.1"} ) -and
18
($_.NotAfter -gt (Get-Date)) -and
19
($_.HasPrivateKey -eq $true) -and
20
($_.FriendlyName -notin $CertsToExclude) -and
21
(
22
($_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
23
($sanExtension = $_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
24
($sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }) -and
25
($sanNames -like "*$env:USERDNSDOMAIN")
26
) -and
27
(Test-Certificate -Cert $_ -Policy SSL)
28
} -ErrorAction SilentlyContinue
29
30
#$certs.Extensions
31
32
Write-Host "############### The following certificates are suitable for Advanced Insights: ###############"`n
33
foreach ($cert in $certs) {
34
35
$SelfSigned = $false
36
if ($cert.Issuer -eq $cert.Subject) {
37
$SelfSigned = $true
38
}
39
40
$sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }
41
42
$sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }
43
44
Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
45
Certificate Thumbprint: $($cert.Thumbprint)
46
Enhanced Key Usage: $($cert.EnhancedKeyUsageList)
47
Certitifcate validity: $($cert.NotAfter)
48
Private Key present: $($cert.HasPrivateKey)
49
Subject Alternative Name (SAN): $($sanNames)
50
Signature Algorithm: $($cert.SignatureAlgorithm.FriendlyName)
51
Self signed Certificate: $($SelfSigned)" `n
52
}
53
54
# List certificates not captured in $certs
55
$allCerts = Get-ChildItem -Path Cert:\LocalMachine\My
56
$uncapturedCerts = $allCerts | Where-Object { $_ -notin $certs }
57
58
# Output the uncaptured certificates and their unmatched properties
59
if ($uncapturedCerts.Count -gt 0) {
60
Write-Host "############### The following certificate properties are checked: ###############`n
61
1. Enhanced Key Usage
62
2. Certitifcate validity
63
3. Private Key present
64
4. Certificate in exclude list
65
5. Subject Alternative Name (SAN)
66
6. 'Test-Certificate -Policy SSL' cmdlet is used to check certificate is valid for SSL and root cert can be validated
67
7. Signature Algorithm = sha256RSA (Minimum)" `n
68
69
Write-Host "############### The following certificates have one or more property values which are not suitable for Advanced Insights: ###############"`n -ForegroundColor Yellow
70
foreach ($cert in $uncapturedCerts) {
71
Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
72
Certificate Thumbprint: $($cert.Thumbprint)"
73
74
Write-Host "Unsuitable Certificate Properties:"
75
76
# Check Key Usage details
77
$SANObjID = $cert.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq '1.3.6.1.5.5.7.3.1'}
78
if (!$SANObjID) {
79
Write-Host "1. Enhanced Key Usage (requires 'Server Authentication') value found: $($cert.EnhancedKeyUsageList)"
80
}
81
if ($cert.NotAfter -le (Get-Date)) {
82
Write-Host "2. A valid, in date certificate is required: Expiration Date found: $($cert.NotAfter)"
83
}
84
if ($cert.HasPrivateKey -ne $true) {
85
Write-Host "3. Private Key present?: Not Found"
86
}
87
if ($cert.FriendlyName -in $CertsToExclude) {
88
Write-Host "4. Certificate in exclude list: Friendly Name: $($cert.FriendlyName)"
89
}
90
91
# Check SAN extension
92
$sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }
93
if (!$sanExtension) {
94
Write-Host "5. Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s):: Not Found"
95
} else {
96
$sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }
97
if ($sanNames -notlike "*$env:USERDNSDOMAIN") {
98
Write-Host "5. Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s): $($sanNames -join ', ')"
99
}
100
}
101
102
if (!(Test-Certificate -Cert $cert -Policy SSL)) {
103
Write-Host "6. Test-Certificate SSL Policy: Failed"
104
}
105
if ($cert.SignatureAlgorithm.FriendlyName -in $Weakhash) {
106
Write-Host "7. Certificate signature algorithm requires a minimum of SHA256 RSA. Legacy / weak algorithms e.g. 'SHA1', 'MD2', 'MD4', 'MD5 are not supported. Signature Algorithm found: $($cert.SignatureAlgorithm.FriendlyName)"`n
107
}
108
Write-Host
109
} Write-Host "############### Certificate Check End ###############"
110
} else {
111
Write-Host "No uncaptured certificates found."
112
}
Example PowerShell outputs:
Valid Certificates
Unsupported Certificates
Self-signed certificate use.
When deploying Advanced Insights using a self-signed certificate, the installer will automatically create the certificate using the server host name value to create the Advanced Insights URL.
Example:
https://server01.contoso.local
We don't recommend using a self-signed certificate long-term in production as it won't be trusted by other client browsers by default. You can replace a self-signed certificate following installation in the IIS website bindings.