Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

9 of 286 comments (clear)

  1. Private Certificate Authority by LostOne · · Score: 5, Informative

    Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

    --

    If it works in theory, try something else in practice.
    1. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Insightful

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

    2. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Funny

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      Damn, over in two posts.

    3. Re:Private Certificate Authority by Trevelyan · · Score: 5, Informative
      10secs of googling gave me this:
    4. Re:Private Certificate Authority by Yaa+101 · · Score: 5, Insightful

      Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

      The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

      I do not know any other way to do this automatically.

    5. Re:Private Certificate Authority by Xonstantine · · Score: 5, Informative

      If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

    6. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Informative

      Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

      For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

  2. Is free cheap enough? by multipartmixed · · Score: 5, Informative

    http://startssl.com/

    --

    Do daemons dream of electric sleep()?
  3. Seriously? Do your own job. by spydum · · Score: 5, Interesting

    Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

    I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?