Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

9 of 286 comments (clear)

  1. Private Certificate Authority by LostOne · · Score: 5, Informative

    Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

    --

    If it works in theory, try something else in practice.
    1. Re:Private Certificate Authority by MeanMF · · Score: 4, Informative

      Yeah AD group policy can do this very easily, no scripts required. http://technet.microsoft.com/en-us/library/cc772491.aspx

    2. Re:Private Certificate Authority by Trevelyan · · Score: 5, Informative
      10secs of googling gave me this:
    3. Re:Private Certificate Authority by Shawn+is+an+Asshole · · Score: 4, Informative

      TinyCA2 is rather easy to use.

      --
      "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
    4. Re:Private Certificate Authority by Xonstantine · · Score: 5, Informative

      If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

    5. Re:Private Certificate Authority by BagOBones · · Score: 3, Informative

      You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.

      --
      EA David Gardner -"... but the consumers have proven that actually what they want is fun."
    6. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Informative

      Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

      For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

  2. Inexpensive 3rd Party Solution by schi0244 · · Score: 4, Informative

    https://www.startssl.com/
    An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

  3. Is free cheap enough? by multipartmixed · · Score: 5, Informative

    http://startssl.com/

    --

    Do daemons dream of electric sleep()?