Mobile app version of vmapp.org
Login or Join
Rivera981

: CA For A Large Intranet I'm managing what has become a very large intranet (over 100 different hosts / services) and will be stepping down from my role in the near future. I want to make

@Rivera981

Posted in: #Https #Intranet

I'm managing what has become a very large intranet (over 100 different hosts / services) and will be stepping down from my role in the near future. I want to make things easy for the next victim person who takes my place.

All hosts are secured via SSL. This includes various portals, wikis, data entry systems, HR systems and other sensitive things. We're using self signed certificates which worked o.k. in the past, but are now problematic because:


Browsers make it harder for users to understand exactly what is going on when a self signed certificate is encountered, much less accept them.
Putting up a new host means 100 phone calls asking what "Add an exception" means


What we were doing is just importing the self signed certs when we set up a new workstation. This was fine when we only had a dozen to deal with, but now its just overwhelming.

Our I.T. Department has classified this as ya all's problem, all we get from them is support for switch and router configurations. Beyond the user having connectivity, everything else is up to the intranet administrators.

We have a mix of Ubuntu and Windows workstations. We'd like to set up our own self signed CA root, which can sign certificates for each host that we deploy on the intranet. Client browsers would of course be told to trust our CA.

My question is, would this be dangerous and would we be better off going with intermediate certificates from someone like Verisign? Either way, I still have to import the root for the intermediate CA, so I really don't see what the difference is?

Other than charging us money, what would Verisign be doing that we could not, beyond protecting the root CA cert so it can't be used to make forgeries?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Rivera981

2 Comments

Sorted by latest first Latest Oldest Best

 

@Reiling115

Additional to fwa's answer - if you're in a Windows/Active Directory environment, you can set up an internal CA that's automatically pushed into the root certificates store of all the machines on your domain. This functionality it actually built into windows.

You just need to install the Certification Authority service on a machine and then update your GPO to reflect the new CA. How to do this should be asked on Server Fault, however you're going to need the input of your IT guys to get this done.

10% popularity Vote Up Vote Down


 

@Hamaas447

In short words: I see no reason why you should use a commercial cert. A self signed is - in this case - enough (IMHO). I just use Verisign (or cheaper GoDaddy) certs for E-Commerce because the costumer can be sure, that the identity of the owner was checked.

To set up your own CA (which in your case should contain a root cert and many "sub"-certs), programs such TinyCA can help you to take the overview.

For the Ubuntu desktops you can use the UCK to set up you're own install cd with the cert within. For Windows i don't know the "best practice", but i think programs like OPSI (Open Source) can help (i've never tried this).

I hope i understood you're question right and this answer would help. Else please don't slap me. :-)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme