Я могу использовать Active Directory в качестве CA для создания тестовых сертификатов SSL для IIS?
Вы настраиваете корректные Групповые политики. Веб-сайты, настроенные в Групповой политике, автоматически откроются в Режиме эмуляции Internet Explorer, но они не отобразятся в списке Настроек Представления Совместимости, чтобы препятствовать тому, чтобы пользователи удалили записи, которые Вы указываете. Можно сказать, что это работает, поскольку кнопка "Compatability Mode" не появится в сайте, Вы указываете.
You can add trusted roots through group policy. So make a self signed cert, roll this out as a trusted root, then any cert you sign with it will be trusted.
Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
Setting up the MS Certificate Authority is not required
If you have a server running the AD CS role issue a certificate, then it isn't self-signed anymore, it's issued by your internal CA. To answer the larger point, yes you can do this. You'll have to install the Active Directory Certificate Services role and create/distribute te certificates from there. No need to touch OpenSSL for this use case.
To answer your question exactly: no, you can't create a self-signed cert using Active Directory. However, I think your question is mixing different things.
- Self-signed certificates are NOT issued by an authority (that's why they are self signed)
- You can integrate a certificate authority with Active Directory in order to automatize server and users certificates.
For creating self-signed certs, you have plenty of options. The simplest one, if you're a windows shop, is to do it through IIS (see this: http://technet.microsoft.com/library/cc753127%28WS.10%29). You can also do it with OpenSSL (quite messy but works), with the makecert.exe tool that comes with the .NET SDK or with a number of similar tools (I use my own tool for this but, that's just me).
For integrating a CA with AD, the simplest way is to install the certificate services role on a machine and configure it for AD integration (although in your case, it doesn't seem to be a necessity unless you want to use it for other things).
Finally, you might want to create your own root that isn't integrated with AD. Unless you have to work with client certificate authentication, have many different servers (with different names) that you want to use in testing (and perhaps with automated testing) or if you want to be able to test some aspect of your application that uses special certificate properties or chaining, it's probably not worth the trouble.
In your case, assuming I understood it correctly and all you want to do is test your web app with a certificate, all I would do is generated a self-signed cert (using whatever tool you like best) and then install that certificate in the correct store on your test machine (to avoid certificate warnings and errors)
Can I create a self-signed IIS certificate using Active Directory as a CA?
No, you can not. SImple point - AD is NOT A CA. SImple like that.
WIndows has a CA component that you can install, bt it is not AD. It is a separate role. Once you do that, though - why use a self signed certificate at all?