SSL Certificates For Intranet Sites?

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on Tuesday November 23, 2010 @03:31AM from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

23 of 286 comments (clear)

Min score:

Reason:

Sort:

Private Certificate Authority by LostOne · 2010-11-23 03:31 · Score: 5, Informative

Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

--

If it works in theory, try something else in practice.
1. Re:Private Certificate Authority by Anonymous Coward · 2010-11-23 03:41 · Score: 0, Informative
  
  Sadly though this is the only way to secure at a low cost. A PKI is not a small feat either, but it is something that you should be using. Not only for web traffic either, a PKI is useful for a lot of things (VPN, RDP, EFS). Plus you can publish through AD DS and this becomes very simple to update and maintain.
2. Re:Private Certificate Authority by MeanMF · 2010-11-23 03:42 · Score: 4, Informative
  
  Yeah AD group policy can do this very easily, no scripts required. http://technet.microsoft.com/en-us/library/cc772491.aspx
3. Re:Private Certificate Authority by Trevelyan · 2010-11-23 03:46 · Score: 5, Informative
  10secs of googling gave me this:
  
  MS internal CA management tool howo (not tried)
  
  Similar for Linux (UNIX) (used often)
4. Re:Private Certificate Authority by Shawn+is+an+Asshole · 2010-11-23 03:54 · Score: 4, Informative
  
  TinyCA2 is rather easy to use.
  
  --
  "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
5. Re:Private Certificate Authority by FreelanceWizard · 2010-11-23 03:56 · Score: 2, Informative
  
  Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec working. From a browser perspective, most if not all Windows browsers rely on the platform's cryptography infrastructure, so there's no need to install the certificates in each browser.
  Unfortunately, while the Microsoft CA is relatively easy to use, using it for anything non-trivial requires the Enterprise or Datacenter edition of Windows Server. This is because you can't modify the certificate templates on lesser editions, and you need those to set up specialized certificates for, say, Configuration Manager.
  If you're manually distributing certificates in any Windows infrastructure, you're doing it wrong.
  
  --
  The Freelance Wizard
6. Re:Private Certificate Authority by ImprovOmega · 2010-11-23 04:07 · Score: 2, Informative
  
  that don't involve manually distributing your certificates and CRL to every workstation in the company
  So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.
7. Re:Private Certificate Authority by Anonymous Coward · 2010-11-23 04:08 · Score: 2, Informative
  
  Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)
  As soon as a new pc joins the domain, the internal CA root cert is installed.
8. Re:Private Certificate Authority by Provos · 2010-11-23 04:09 · Score: 2, Informative
  
  Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.
  
  --
  I toggled a toggle and buttoned a button, but when I got done, I was done doin' nothin'.
9. Re:Private Certificate Authority by Xonstantine · 2010-11-23 04:12 · Score: 5, Informative
  
  If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...
10. Re:Private Certificate Authority by KevMar · 2010-11-23 04:13 · Score: 2, Informative
  
  If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.
  Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).
  The cost is that of another server (or a few servers for a large organisation).
  
  --
  Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
11. Re:Private Certificate Authority by BagOBones · 2010-11-23 04:31 · Score: 3, Informative
  
  You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.
  
  --
  EA David Gardner -"... but the consumers have proven that actually what they want is fun."
12. Re:Private Certificate Authority by Anonymous Coward · 2010-11-23 04:36 · Score: 5, Informative
  
  Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)
  For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.
13. Re:Private Certificate Authority by Reece400 · 2010-11-23 05:09 · Score: 2, Informative
  
  http://www.namecheap.com/learn/other-services/ssl-certificates.asp I messed that link up some how.
14. Re:Private Certificate Authority by Eil · 2010-11-23 06:07 · Score: 2, Informative
  
  It's impolite, but the truth. If your job entails running a company's computer systems, you should already know (or be able to Google) the fact that you either have to pony up for SSL certs or generate and distribute your own. There is no in between. In systems administration, the question of "how do we solve this?" is almost always answered by "rolling our own" or "paying someone".
Wildcard cert by Anonymous Coward · 2010-11-23 03:33 · Score: 1, Informative

*.internal.example.com
Inexpensive 3rd Party Solution by schi0244 · 2010-11-23 03:35 · Score: 4, Informative

https://www.startssl.com/
An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.
Is free cheap enough? by multipartmixed · 2010-11-23 03:36 · Score: 5, Informative

http://startssl.com/

--

Do daemons dream of electric sleep()?
1. Re:Is free cheap enough? by heypete · 2010-11-23 05:38 · Score: 2, Informative
  
  If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.
  If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.
  Either way, the browser will trust the cert without warnings.
  Yes, it will be more transparent to the user than using a self-signed certificate. Self-signed certificates present scary warnings, as they are not signed by a trusted CA. StartSSL-issued certs are trusted by many browsers. See http://www.startssl.com/?app=40
  StartSSL certs are accepted without warnings by Android and iPhone.
Internal CA by Anonymous Coward · 2010-11-23 03:37 · Score: 1, Informative

If the machines are windows based and reside on a domain then Group Policies can push out these certs rather nicely.
Even non-windows machines - you can script the certificate update via logon script. I do this in my own domain I have setup for issue reproduction purposes.
It is rather simple.
Solution for windows and IE by daniel_zy · 2010-11-23 03:44 · Score: 2, Informative

On window the list of CA on the machine can be centraly maneged...
PKI in a web page by rich_salz · 2010-11-23 03:59 · Score: 2, Informative

You might find my "PKI in a web page" useful. It doesn't require sending all certs to all browsers, just the one internal CA cert and includes step-by-step screenshots on how to do that. See https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10?lang=en
Re:ssh tunnel by Anonymous Coward · 2010-11-23 04:18 · Score: 1, Informative

PuTTY FTW.