Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

40 of 286 comments (clear)

  1. Private Certificate Authority by LostOne · · Score: 5, Informative

    Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

    --

    If it works in theory, try something else in practice.
    1. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Insightful

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

    2. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Funny

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      Damn, over in two posts.

    3. Re:Private Certificate Authority by amorsen · · Score: 2, Insightful

      The available certificate servers which are Free Software tend to be rather user-unfriendly. Maintaining certificate revocation lists and handling certificates for different purposes (mail, web, code, client authentication, vpn...) are needlessly time-consuming chores. Obviously any competent system administrator can script their way out of it, but in this case it is a rather large effort.

      I would be very happy to hear about an easier solution.

      --
      Finally! A year of moderation! Ready for 2019?
    4. Re:Private Certificate Authority by pla · · Score: 4, Insightful

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

      Before snarking on the FP author, perhaps you should actually read the FP's question?

    5. Re:Private Certificate Authority by MeanMF · · Score: 4, Informative

      Yeah AD group policy can do this very easily, no scripts required. http://technet.microsoft.com/en-us/library/cc772491.aspx

    6. Re:Private Certificate Authority by Trevelyan · · Score: 5, Informative
      10secs of googling gave me this:
    7. Re:Private Certificate Authority by corbettw · · Score: 2, Insightful

      Doesn't mean he's wrong. Seriously, this is SSL 101, and anyone tasked with setting up SSL-protected websites should've intuitively known the answer before the question was even asked.

      --
      God invented whiskey so the Irish would not rule the world.
    8. Re:Private Certificate Authority by Yaa+101 · · Score: 5, Insightful

      Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

      The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

      I do not know any other way to do this automatically.

    9. Re:Private Certificate Authority by Shawn+is+an+Asshole · · Score: 4, Informative

      TinyCA2 is rather easy to use.

      --
      "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
    10. Re:Private Certificate Authority by FreelanceWizard · · Score: 2, Informative

      Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec working. From a browser perspective, most if not all Windows browsers rely on the platform's cryptography infrastructure, so there's no need to install the certificates in each browser.

      Unfortunately, while the Microsoft CA is relatively easy to use, using it for anything non-trivial requires the Enterprise or Datacenter edition of Windows Server. This is because you can't modify the certificate templates on lesser editions, and you need those to set up specialized certificates for, say, Configuration Manager.

      If you're manually distributing certificates in any Windows infrastructure, you're doing it wrong.

      --
      The Freelance Wizard
    11. Re:Private Certificate Authority by ImprovOmega · · Score: 2, Informative

      that don't involve manually distributing your certificates and CRL to every workstation in the company

      So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.

    12. Re:Private Certificate Authority by apparently · · Score: 2, Insightful

      A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

      That only works if you're also fine with local users having the privileges to install software on their workstations. So you're only trading one security issue for another.

    13. Re:Private Certificate Authority by Anonymous Coward · · Score: 2, Informative

      Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

      As soon as a new pc joins the domain, the internal CA root cert is installed.

    14. Re:Private Certificate Authority by Provos · · Score: 2, Informative

      Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.

      --
      I toggled a toggle and buttoned a button, but when I got done, I was done doin' nothin'.
    15. Re:Private Certificate Authority by Xonstantine · · Score: 5, Informative

      If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

    16. Re:Private Certificate Authority by KevMar · · Score: 2, Informative

      If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.

      Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).

      The cost is that of another server (or a few servers for a large organisation).

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    17. Re:Private Certificate Authority by BagOBones · · Score: 3, Informative

      You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.

      --
      EA David Gardner -"... but the consumers have proven that actually what they want is fun."
    18. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Informative

      Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

      For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

    19. Re:Private Certificate Authority by Reece400 · · Score: 2, Informative

      http://www.namecheap.com/learn/other-services/ssl-certificates.asp I messed that link up some how.

    20. Re:Private Certificate Authority by ayvee · · Score: 2, Interesting

      This may be noobish, but is there some way to set up a certificate authority, have its verification key (V) be publicly available from a website or something, and have V signed by (say) Verisign?

    21. Re:Private Certificate Authority by TheLink · · Score: 3, Interesting

      Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

      And there's the big difference.

      The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

      No, the way to do what the main requester wants is to get a free cert whose CA is recognized by most popular browsers. You can get some from: http://www.startssl.com/
      Their "product" comparison: http://www.startssl.com/?app=40

      You might be able to get free certs from elsewhere.

      Apparently some sites sell rapidssl wildcard certs for cheap. I can't remember which ones. Can't find them via Rapidssl's own website for some reason ;).

      You have to understand the truth of the matter. Most people dealing with https don't really care that much about security. All they want is not to have those scary browser warnings.

      If they really cared about security they would realize that most popular browsers by default do not warn you if a site's CA has changed, or a server cert has changed rather prematurely (I use certificate patrol for that). And that as long as this remains true, all the talk about https security is just talk.

      So people should just solve the submitters problem, and implying he's incompetent or even calling him incompetent. Because how many of you are relying on https to keep stuff safe and have CA certs in your browser from CA's you do not trust?

      FWIW how many of you really trust Verisign? Stick your hand up if you're that incompetent ( http://en.wikipedia.org/wiki/Verisign#Controversies ). Guess who signs zillions of certs though, and what happens if you don't tell the browser to trust Verisign's certs. Guess who signed a fake Microsoft's cert? http://www.cert.org/advisories/CA-2001-04.html

      So just accept that those certs are mainly to make people feel safe and make the browser warnings go away.

      --
    22. Re:Private Certificate Authority by Eil · · Score: 2, Informative

      It's impolite, but the truth. If your job entails running a company's computer systems, you should already know (or be able to Google) the fact that you either have to pony up for SSL certs or generate and distribute your own. There is no in between. In systems administration, the question of "how do we solve this?" is almost always answered by "rolling our own" or "paying someone".

    23. Re:Private Certificate Authority by Anpheus · · Score: 2, Insightful

      Yes! I've discovered lately when evaluating Chrome for workstation use that Chrome now has a (ever-growing) list of group policies available. Grab the adm/admx templates and MSI installer and check them out.

      Coincidentally, the latest Chromium/Chrome Canary/Chrome Dev builds also started ignoring IE's trusted zone lists and so windows integrated authentication (Kerberos Negotiate) stopped working. Boo. Supposedly there's a new policy that I can set to fix this. I reported the issue but am waiting for clarification on whether this is intended behavior, a security issue, or what.

  2. Inexpensive 3rd Party Solution by schi0244 · · Score: 4, Informative

    https://www.startssl.com/
    An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

  3. Why are you clicking through that box every time? by jandrese · · Score: 3, Insightful

    Every browser has a way to store the security exceptions so that you don't get that warning every time. Just set the box up on a private network the first time to avoid a MitM attack and store the cert. If you ever get another warning about an untrusted cert from the box, then you might have a MitM attack going on, but otherwise if the cert matches you're fine.

    You could also set up your own local root authority (most larger companies do this) and make your own certs.

    --

    I read the internet for the articles.
  4. Is free cheap enough? by multipartmixed · · Score: 5, Informative

    http://startssl.com/

    --

    Do daemons dream of electric sleep()?
    1. Re:Is free cheap enough? by heypete · · Score: 2, Informative

      If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.

      If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.

      Either way, the browser will trust the cert without warnings.

      Yes, it will be more transparent to the user than using a self-signed certificate. Self-signed certificates present scary warnings, as they are not signed by a trusted CA. StartSSL-issued certs are trusted by many browsers. See http://www.startssl.com/?app=40

      StartSSL certs are accepted without warnings by Android and iPhone.

  5. Solution for windows and IE by daniel_zy · · Score: 2, Informative

    On window the list of CA on the machine can be centraly maneged...

  6. Are you seriously that dense? by apparently · · Score: 3, Insightful

    FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks." Before snarking on the FP author, perhaps you should actually read the FP's question?

    So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?"
    Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow.

  7. Why does this always get marked troll? by Kupfernigk · · Score: 2, Insightful
    I've seen similar comments get marked troll before. Yet for many websites, the direction of trust is from them to you. If you want to log in to my website, which provides information, I store no personal information other than a user name and password. I have to trust you before giving you the information you want.

    What we actually have here is a psychological issue - the cert vendors want you to believe that anyone who doesn't buy their certs is a potential criminal. The rule should simply be "no financial transactions or personal data on a site without an entrusted cert".

    Other than common sense, there is nothing to stop me posting my credit card details on Slashdot. If I log into a public forum using HTTPS, I still have no protection against my own stupidity if I do that. Now, without simply modding this troll, can anybody give a coherent explanation as to why browsers shouldn't assess self-signed certs according to their origin - within the intranet, valid server name - rather than treating selfcert.ru the same as selfcert.10.0.0.1?

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
  8. PKI in a web page by rich_salz · · Score: 2, Informative

    You might find my "PKI in a web page" useful. It doesn't require sending all certs to all browsers, just the one internal CA cert and includes step-by-step screenshots on how to do that. See https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10?lang=en

  9. Seriously? Do your own job. by spydum · · Score: 5, Interesting

    Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

    I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

    1. Re:Seriously? Do your own job. by rainer_d · · Score: 3, Insightful

      That's the "I'm feeling lucky" google-fed generation.
      If it's not on the first page in google results, go and ask in a forum.
      Though, that's actually old-school, sort-of - people tend to ask in their twitter feed nowadays...

      --
      Windows 2000 - from the guys who brought us edlin
    2. Re:Seriously? Do your own job. by Gothmolly · · Score: 2, Interesting

      Its a new trend I think, fed by the chorus from management that "IT is easy" - so they find cheap talent who live by Googling answers. Nobody designs anything anymore.

      --
      I want to delete my account but Slashdot doesn't allow it.
  10. Re:Why are you clicking through that box every tim by jdew · · Score: 2

    HP lights out boards don't retain the self generated cert between power failures. So when power returns you get a different cert, and the exception now needs to be removed and readded.

  11. Re:Untrusted certs should not raise an alarm by Eunuchswear · · Score: 4, Insightful

    This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

    The only thing the "trusted authorites" confirm is that the person who has the cert paid for it.

    Some trust.

    The whole SSL certificate crap is a scam. The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

    (The protocol should also have some reasonable way of doing rollover, like presenting a new certificate in the session "this is what we're going to be using starting...").

    That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

    But they don't authenticate the remote site. They just check that the remote site has a certificate signed by one of those super trustworthy people like Verisign or the government of China.

    --
    Watch this Heartland Institute video
  12. Troll Tuesday hits Ask Slashdot! by peacefinder · · Score: 3, Insightful

    Congratulations on getting your story accepted to the front page!

    Dozens of man-hours will now be spent explaining basics of inhouse certificate authorities and self-signing, along with comments on your lack of basic research, intelligence, qualification for your position, and legitimate parentage.

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  13. Re:Share the wisdom of Slashdot. by rjstanford · · Score: 2, Insightful

    And to those of you here who claim "half a brain": please remember that you yourselves may someday need to do something (legal, financial, educational, even technical) for which you are less than half competent. Yes, you have achieved a "win" in humilating a sincere poster, but it's the cheap victory enjoyed only by the pusillanimous.

    Here's the deal. Either this person is administering a smallish number of machines, in which case he/she can simply go 'round and install certificates on all of them, or they're administering an assload of them, in which case they do indeed deserve the scorn for not being willing to do a modicum of research and choose the standard approach.

    Your defense only works if they're in charge of too many machines to administer manually, but yet have no experience doing so - a situation which is highly unlikely. It might be a temporary situation due to turnover, but in that case they shouldn't be implementing a "convenience" feature like this one themselves.

    --
    You're special forces then? That's great! I just love your olympics!
  14. 300+ comments later... by cormandy · · Score: 2, Interesting

    It has been said about 300 times here already: install an internal certificate authority and push the CA certificate out to all of your browsers....
    The cheap option is to use an open-source SSL CA; a client of mine (one of the planet's most profitable law firms) was using Verisign to sign internal certs, partly out of laziness, for internally protected (https/SSL) apps. I recommended an internal cert auth and their security gurus deployed an open source CA. They pushed the CA cert out to the worldwide desktops via Windows Group Policy so that the browsers would recognize the signing authority. worked a charm: all internal certs signed for free. Lots of money saved...
    For another client (big company that manages railway infrastructure on a big island in the Atlantic), we deployed the Oracle "Certificate Authority" (Part of Oracle Identity Management) - don't laugh - and it worked as well. Needed to push the CA certificate out to the desktops via Windows Group Policy. Also worked a charm.
    Only fools use public cert auths such as Verisign to sign internal-facing certificates.
    Both clients had it on their "to do" lists to deploy the MS Certificate Authority, but is was deemed low priority, so another solution was needed...