Can I use a Private CA instead of a Public CA in Edge Services?

I got an email a couple of days ago from a concerned IT Pro:

"...I read that public interface of edge server must have public certificate (this link in edge server document:

https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=SupportedCAs )

I want to know whether I must use a Public CA or can I use the Private CA in my company?..."

That link doesn't specify that you must use a Public CA cert, its saying that there are specific requirements for advanced functionality of the certificate. That said the documentation also provides a link to show you how to get this working with your own Private CA too. So yes it can work with your Private CA by enabling the use of Subject Alternate Names or in other words the ability to support multiple URLs to be valid with the one certificate.

So why wouldn't you use your own Private CA for everything given that's much cheaper than paying someone else for the same thing (ie: a Public CA signed cert)?

When we make an SSL connection to a service - whether that be HTTP or otherwise - it requires three things to verify the validity of the connection.

1. Is the Root CA who signed the certificate trusted?

2. Is the destination URL of what we have typed (or have hard-coded) actually matching the name of the URL in the certificate?

3. Is the certificate time and date valid (ie: not expired)?

The big issue is the certificate trust chain. If you are using your own Private CA and have not exported the Root CA certificate chain to every client you intend that will connect to your service then SSL negotiation will fail as it wont be able to trust the certificate properly because it cant verify the signature.

That's the big value with using a Public CA...the root of that CA is (generally) in every browser and OS meaning you don't need to configure anything on the client for SSL negotiation to work.

Hope this helps!