Cloudflare Origin and ProScan HTTPS server

[johndball]

Thanks for that. I'm have to decide on my end what route to take. 1) Keep it as is (before the test files) or 2) If it is a ClouldFlare Origin cert then use the chain policy AllowUnknownCertificateAuthority. Probably 1.

For simplicity of development, I would say go with route 1 but maybe tweak the LetsEncrypt function/verbiage to state "Custom PFX". If somebody is building custom PFX chains they should know what they are doing. Or even keep that as-is and update the ProScan documentation to mention that custom PFX is allowed under the LetsEncrypt function.

 

[ndebaggis]

Did it manually. I too was once an ADCS admin back in the server 2008 IT admin days.

I probably used Portecle more than I'd want to ever again! Guessing there are easier ways now though, PSPKI has some great tooling available but I never go to the point of scripting up a PFX builder.

 

[ndebaggis]

For simplicity of development, I would say go with route 1 but maybe tweak the LetsEncrypt function/verbiage to state "Custom PFX". If somebody is building custom PFX chains they should know what they are doing. Or even keep that as-is and update the ProScan documentation to mention that custom PFX is allowed under the LetsEncrypt function.

Agreed. I'd also add some text for those brave souls with custom PFX to ensure they add any required root CA certs to their LocalMachine cert store. I still needed to do that to get a good verification. I think bouncy or .net might ignore the bundled PFX's root CA for security reasons (just guessing).