HTTPS Support for Windows reference for Microsoft Connected Cache

This article provides more detail for the Windows HTTPS setup flow on Connected Cache.

Prerequisites

Client connection methods

Try the following to determine the appropriate connection method to your Connected Cache server, for the purposes of setting up HTTPS support.

• Check Delivery Optimization policy configuration

  The following command queries the Windows registry for the "DOCacheHost" value under the Delivery Optimization policy path:

  Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" -Name "DOCacheHost" -ErrorAction SilentlyContinue
  

  If the value is present in the output, it means the client is explicitly configured to use a specific Microsoft Connected Cache server.

  If the value is missing in the output, the client might rely on DHCP Option 235 to discover Connected Cache servers dynamically—assuming DOCacheHostSource is configured.

• Check details of existing HTTP connection

  The following command checks TCP connectivity to port 80 on the Connected Cache server. Replace insert-mcc-server-name with the server's full computer name.

  Test-NetConnection -ComputerName [insert-mcc-server-name] -Port 80 -InformationLevel Detailed
  

  From the output:

  • RemoteAddress is the IP address your client resolved for the Connected Cache server
  • NameResolutionResults lists the hostname used by your clients if DNS resolution is involved

Generate CSR

Scenario-Based Parameter Examples

Review scenario-based parameter examples and make edits to your generateCsr command accordingly:

Single Office - IP Address Only

Scenario: Small branch office where clients are configured to connect to Connected Cache using a static IP address (for example, via DOCacheHost policy set to "192.168.1.100"). Admin uses local user account.

.\generateCsr.ps1 `
    -RunTimeAccountName $credential.Username `
    -mccLocalAccountCredential $credential `
    -algo RSA `
    -keySizeOrCurve 2048 `
    -csrName "mcc-branch-office" `
    -subjectCommonName "192.168.1.100" `
    -subjectCountry "US" `
    -subjectState "TX" `
    -subjectOrg "Contoso Corp" `
    -sanIp "192.168.1.100"

Enterprise Standard - DNS Hostname

Scenario: Enterprise environment where clients connect via standardized hostname (mcc-server.contoso.com). Admin uses gMSA account.

.\generateCsr.ps1 `
    -RunTimeAccount "CONTOSO\mcc-gmsa$" `
    -algo RSA `
    -keySizeOrCurve 4096 `
    -csrName "mcc-enterprise-prod" `
    -subjectCommonName "mcc-server.contoso.com" `
    -subjectCountry "US" `
    -subjectState "Washington" `
    -subjectOrg "Contoso Corporation" `
    -sanDns "mcc-server.contoso.com"

DHCP Discovery Environment

Scenario: Environment using DHCP Option 235 for Connected Cache discovery where clients might connect using the server's actual hostname or DHCP-provided name. Admin uses local user account.

.\generateCsr.ps1 `
    -RunTimeAccountName $credential.Username `
    -mccLocalAccountCredential $credential `
    -algo RSA `
    -keySizeOrCurve 2048 `
    -csrName "mcc-dhcp-discovery" `
    -subjectCommonName "cache-server.corporate.local" `
    -subjectCountry "US" `
    -subjectState "FL" `
    -subjectOrg "Corporate IT Services" `
    -sanDns "cache-server.corporate.local,mcc-auto.corporate.local,fileserver.corporate.local"

Hybrid Environment - Mixed Client Connections

Scenario: Mixed environment during migration where some legacy clients still use IP addresses while newer clients use DNS names. Covers both connection methods. Admin uses local user account.

.\generateCsr.ps1 `
    -RunTimeAccountName $credential.Username `
    -mccLocalAccountCredential $credential `
    -algo RSA `
    -keySizeOrCurve 2048 `
    -csrName "mcc-hybrid-migration" `
    -subjectCommonName "mcc-cache.contoso.com" `
    -subjectCountry "US" `
    -subjectState "CA" `
    -subjectOrg "Contoso Inc" `
    -sanDns "mcc-cache.contoso.com,cache.contoso.local" `
    -sanIp "10.0.1.50,192.168.100.10"

Multi-Site with Regional Naming

Scenario: Large organization with multiple Connected Cache nodes using consistent naming convention (mcc-region-site format). This example is for a Seattle datacenter node. Admin uses gMSA account.

.\generateCsr.ps1 `
    -RunTimeAccount "CORP\mcc-production-gmsa$" `
    -algo RSA `
    -keySizeOrCurve 4096 `
    -csrName "mcc-seattle-dc1" `
    -subjectCommonName "mcc-sea-dc1.corp.contoso.com" `
    -subjectCountry "US" `
    -subjectState "Washington" `
    -subjectOrg "Contoso Corporation" `
    -sanDns "mcc-sea-dc1.corp.contoso.com,mcc-seattle.contoso.com"

Load Balanced Environment

Scenario: High-availability setup where multiple Connected Cache nodes sit behind a load balancer. Clients connect to the load balancer VIP, but certificate needs to support direct node access for troubleshooting. Admin uses gMSA account.

.\generateCsr.ps1 `
    -RunTimeAccount "ENTERPRISE\mcc-ha-gmsa$" `
    -algo RSA `
    -keySizeOrCurve 4096 `
    -csrName "mcc-node1-ha" `
    -subjectCommonName "mcc.enterprise.com" `
    -subjectCountry "US" `
    -subjectState "NY" `
    -subjectOrg "Enterprise Solutions Inc" `
    -sanDns "mcc.enterprise.com,mcc-node1.enterprise.com,mcc-cluster.enterprise.local"

Development/Testing Environment

Scenario: Development environment with relaxed naming requirements. Supports localhost testing and lab network access. Admin uses local user account.

.\generateCsr.ps1 `
    -RunTimeAccountName $credential.Username `
    -mccLocalAccountCredential $credential `
    -algo RSA `
    -keySizeOrCurve 2048 `
    -csrName "mcc-dev-lab" `
    -subjectCommonName "localhost" `
    -subjectCountry "US" `
    -subjectState "Dev" `
    -subjectOrg "IT Development" `
    -sanDns "localhost,mcc-dev.lab.local,devserver.local" `
    -sanIp "127.0.0.1,192.168.10.100,10.10.10.50"

High-Security with Elliptic Curve

Scenario: Security-conscious organization requiring modern ECC cryptography for better performance and compliance with newer security standards. Admin uses gMSA account.

.\generateCsr.ps1 `
    -RunTimeAccount "SECURE\mcc-prod-gmsa$" `
    -algo EC `
    -keySizeOrCurve secp384r1 `
    -csrName "mcc-secure-prod" `
    -subjectCommonName "mcc-secure.defense.gov" `
    -subjectCountry "US" `
    -subjectState "VA" `
    -subjectOrg "Department of Defense" `
    -sanDns "mcc-secure.defense.gov"

Azure VM / Hybrid Cloud Deployment

Scenario: Connected Cache node deployed on Azure VM with both public and private connectivity. Clients from on-premises connect via private IP/hostname, while cloud-based clients may use the Azure public DNS name. Admin uses local user account.

.\generateCsr.ps1 `
   -RunTimeAccountName $credential.Username `
   -mccLocalAccountCredential $credential `
   -algo RSA `
   -keySizeOrCurve 2048 `
   -csrName "mcc-azure-hybrid" `
   -subjectCommonName "mcc-eastus.cloudapp.azure.com" `
   -subjectCountry "US" `
   -subjectState "WA" `
   -subjectOrg "Contoso Corporation" `
   -sanDns "mcc-eastus.cloudapp.azure.com,mcc-azure.contoso.local,mcc-vm01.contoso.com" `
   -sanIp "10.0.1.10,172.16.0.50"

Sign CSR

Convert to .crt file type

• If you receive .cer:

  • PowerShell:

    Rename-Item -Path "xxxx.cer" "xxxx.crt"
    

  • WSL:

    openssl x509 -in xxxx.cer -out xxxx.crt
    

• If you receive .der:

  • PowerShell:

    certutil -encode "xxxx.der" "xxxx.crt"
    

  • WSL:

    openssl x509 -inform DER -in xxxx.der -out xxxx.crt
    

Additional resources

• HTTPS on Windows overview
• HTTPS on Windows validation
• Troubleshooting Connected Cache