Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersInternal CA or External CA for Internal Use Only
gundar

488 posts

Ultimate Geek

Trusted

#191668 11-Feb-2016 22:32
Send private message

Hi

 

I went to install a piece of software today that specifically wants a trusted browser experience even though it's an internally used piece of software, connecting to an internal only system. I'm not very certificate savvy and this is a demonstration and an isolated test domain, but I gathered I'd have to create a CA service in my test domain and issue all the test servers certificates. This is obviously a bit of extra work, but achievable - my experience here is to stumble through a HOWTO document and get it done.

 

While looking for a HOWTO that encompasses both Ubuntu and Windows use cases, I came across more and more articles and blog posts that suggested the new way to have an internal CA is to pay for the service and have it hosted even though the certificates are for internal use only. I suppose I misunderstand or the way this is done has now changed since I last had a task like this so let me paint a picuture and hopefully somebody can point me in the right direction...

 

I am working on an internal only project that will essentially renew an infrastructure, so I don't mind rebuilding lots of servers. There is a mixed batch of technologies: Windows, Linux and some hardware devices. There is also a front end that has some externally facing services, web, email, etc. All of this typical I think.

 

I want the internal services like intranets, web management of hardware and this piece of software to trust all other internal devices and platforms.

 

Are there advantages or glitches that you may have come across having an internal use CA hosted? Does this make sense? How does Active Directory deal with the CA being hosted externally? Security considerations?

 

I'm not shy of hard work or research, but I wanted to get some opinions on the direction I should be looking at before I hit these big manuals.

 

Your thoughts here are much appreciated.

 

 

 

Gund

 

 

Create new topic
jhsol
102 posts

Master Geek


  #1491432 12-Feb-2016 22:10
Send private message

Internal Cert Authorities are a pain in the [backside] to set up and maintain so you need to be sure that the application requires certs from all the machines accessing it.

 

The benefits of an internal cert authority is the ability to have all computers trust each other but it only works for applications that can request for certificates. Ie generating a certificate for an intranet server isnt beneficial unless you are hosting it via HTTPS. And then the only benefit of hosting it on https for an internal network is to secure traffic flow between client and server. Not a high security risk for traffic within internal systems only.

 

CAs require some hefty setup and thought and it might just be slightly overkill for what you are wanting to do. If you want 1 server to be trusted amongst all PCs in the domain just get it to generate a self signed cert and put it in the trusted root via Group Policy. Then all PCs (within the domain) will trust that server.

If however you are still determined (to set it up in your test domain) then there are a few guides out there that will run you through the process. Essentially you create a Root Auth server (non domain joined), get it to generate a self signed cert as root. Create an Enterprise Cert Auth (domain joined), get it to be intermediate root with the cert generated by the root auth. Add both these certs into your Group Policy (trusted root and intermediate root auth). Now you can create domain certs for nearly any user or device that is domain joined and they will all be trusted within the domain. An internal cert will not work like one generated by a public cert auth (ie Thawte etc) in the public space. NOTE! once again this is only beneficial for applications that request a cert. If the app doesnt use a cert at all (ie intranet on HTTP vs HTTPS) then all of this work will be for naught.

 
 
 
 

Free professional, reference and technical white papers (affiliate link).
gundar

488 posts

Ultimate Geek

Trusted

  #1491446 12-Feb-2016 23:02
Send private message

Thanks for the thoughts, this is to test a potentially large deployment and there will be multiple points of administration. I guess in the long run, I want administrators not to be faced with trusted browser errors, but also tools and utilities like HPs Insight Manager should not have toruble connecting to other pieces of hardware or supporting services. There is not a lot of in depth detail that I can find, but I suspect that I am asking the question the wrong way as I have little experience and knowledge in this area and I am in a country where everybody does not speak English, so I have my new broken language, plus the Internet as support...

 

The service I want to potentially deploy is Ubuntus Landscape (or similar) and HPs Insight Manager. Each of these requires SSL between themselves and the devices they manage, without good SSL, there are problems and manual intervention is required. This site also has an Active Directory deployment. I am trying to find one solution that fits all and it seems that I can get an externally provisioned certificate that can be deployed internally. I would, it seems, buy this certificate as a wildcard in the name of the internally used domain and deploy it to devices and services internally, but allow external lookups. There are a number of online services that offer this type of service for this particular application, has anybody done this before? I know the model used to be to use internal CA services.

 

TL;DR Have you used an external provider for internally used certs before?

gzt

gzt
16815 posts

Uber Geek

Lifetime subscriber

  #1491454 12-Feb-2016 23:34
Send private message

Ok, I will put toes in the fire ; ).

CA for test purposes in test domain is simple enough. Install certificate services, request certificate, issue certificate.

Outside a test domain environment also simple but so many things to discuss it is a long list.

I will guess the move toward hosted CA is mostly a result of phase out of externally verified internal name certificates.

I assume the certificate is used for server identification and the main purpose is transport encryption?

TL;DR Have you used an external provider for internally used certs before?

Disclaimer, no. My experience is limited to using externally issued certificates and installing and using internal test domain test CA etc.



geocom
593 posts

Ultimate Geek

Subscriber

  #1491455 12-Feb-2016 23:38
Send private message

The question would be what cert store do the applications use. On windows they should use the certutil but it is anyones guess what uses what. On linux it is a bit more complex as there are a few different cert stores https://curl.haxx.se/docs/ssl-compared.html lists a few. NSS is rather common and is used by chrome. https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md tells you how to install them into the store. But firefox for example keeps its own seperate store 

 

You can script both NSS and certutil without to much issue to install your CA. And on windows you can even create an install wizard to do this rather easily.

 

As for the external CA idea yes it would take out most of the issues with having to install CA's however some servers are rather strict and only allow from some vendors. You will need a fully qualified domain name so if you want to do anything via IP address then you will be out of luck and even if you could there may still be issues for example safari will just fail unless you have IP:// at the start of the address so you have to serve 2 different certs. You also need to remember that if you use one cert on multi servers if one is hacked you will need to update every server with a new cert again.




Geoff E

gzt

gzt
16815 posts

Uber Geek

Lifetime subscriber

  #1491458 12-Feb-2016 23:47
Send private message

Ok, thought I was responding to the first post. I missed that entirely. Random follow up. Are client certificates required for that set up? Ie; do clients need to individually request and be issued a cert from the CA to use in uniquely identifying themselves to the server?

timmmay
20354 posts

Uber Geek

Trusted
Lifetime subscriber

  #1491473 13-Feb-2016 07:30
Send private message

Could you use Let's Encrypt, the new free CA? I'm using it for my public websites. The domains are made public, and to issue the certificate they need to be on the internet while the certificate is being issued (every 3 months). Probably not a viable solution but worth mentioning.

toyonut
1508 posts

Uber Geek


  #1491478 13-Feb-2016 08:24
Send private message

If it is likely to be a used business site, I would spend a little on a public cert. Going through all the setup for a CA for one application is killing a fly with a shotgun. A self signed cert distributed to all test PC's is fine if it is a test network, but if it goes live in that state it will rapidly become a pain in the buttocks to manage (I have encountered more than a couple of business apps that do this however...ughyell). I would fork out for a public cert and put it on. You can get cheap ones which will work fine.

 

I haven't used lets encrypt, but I have tried other free certs and they are painful to set up and maintain. Lets encrypt may be better. We use Digicert at work and have never had an issue with the support or the certs. There was a thread on here a while ago with different SSL providers too.

 

https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx for example ,US$9 per year for a single site. If the app needs multiple subdomains a wildcard is only US$94 per year or listed names is US$30. Not recommending them as I haven't used them personally, just using them for a price comparison.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B



timmmay
20354 posts

Uber Geek

Trusted
Lifetime subscriber

  #1491491 13-Feb-2016 09:15
Send private message

I have a tutorial on setting up Let's Encrypt, it's pretty easy. I prefer not to link directly but if you PM I can send it to you.

jnimmo
1093 posts

Uber Geek


  #1491493 13-Feb-2016 09:21
Send private message

Key advantage of internal CA is it is free, and you can create as many certs as you need, with nice long expiries (5 or more years).

 

Managing browser trust issues with Chrome/IE it isn't too bad as domain PCs can be configured to trust the CA. Firefox is a different story, but simple enough for them to install the root cert once on Firefox if using.

 

Yes you could share a publicly signed wildcard cert, the downside is there is only one private key so if you lose control of the key and can no longer trust the certificate you will have to replace this cert everywhere. There are exceptions to this, I know Digicert allows you to generate unlimited key pairs which would mitigate that risk.

 

Active directory itself doesn't require a CA so it doesn't mind.

 

I'm not sure if it is possible to buy certs for non publicly resolvable domain names now, i.e. geekzone.co.nz OK but not geekzone.local so that will impact too.

 

 

 

 

gundar

488 posts

Ultimate Geek

Trusted

  #1491865 14-Feb-2016 00:08
Send private message

Okay, I've done some more reading and realise I asked a very vague question, to start.

 

We have a globally unique AD and internal DNS name. We are using private IPv4 address space (IPv6 is native here, so that will be deployed soon). I realise I can create my own internal CA and I realise this is not easy if done correctly, so I suppose I should have asked - has anybody used a public CA for internal use before? There are advantages to this and the cost is really low, in my opinion, but $500 is still not to be baulked at.

 

We do have external business partners, an extensive VPN and the providers of 'Intranet CA' services have large insurance and assurance guarantees...

 

TL;DR Have you used a public CA for internal use only certificates before in a mixed Linux/Windows environment?

timmmay
20354 posts

Uber Geek

Trusted
Lifetime subscriber

  #1491892 14-Feb-2016 07:34
Send private message

I've never done a certificate request for an internal only server, but it should be pretty straightforward shouldn't it? Generate the request, get the certificate, install the certificate. Not sure why it'd cost $500.

gzt

gzt
16815 posts

Uber Geek

Lifetime subscriber

  #1491977 14-Feb-2016 11:17
Send private message

Public CAs now refuse to issue certificates with internal names:

http://www.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know

Ie; Internal names are not unique and therefore easily impersonated. Ie; breaks server identification.

If you have a public domain name then wildcard certificate is one way to achieve, because sub domains are automatically covered. However, wildcard certificates give you the opposite problem because now all machines on that domain are could potentially provide a service and no-one is the wiser. Tldr; for external certificate use FQDN is required and good practice.

TwoSeven
1589 posts

Uber Geek

Subscriber

  #1491982 14-Feb-2016 11:43
Send private message

On my developer machine I run Hyper-V which allows me to create virtual networks and virtual machines - doing this I can model aspects of enterprise infrastructure such as domain controllers, mail server, certificate servers, web servers and appropriate client setups. Using isolated virtual networks I can then version that infrastructure to try different things out. It is all done in isolation so I don't have any impact on the domain or network that my developer machine is connected to.

 

In my [windows] development domain I have certificate services installed. This allows me to create root certificates that have a complete chain and are trusted - the only thing is that they are not usable outside of my development environment.

 

 

 

 




Software Engineer
   (the practice of real science, engineering and management)

 

Gender Neutral
   (a person who believes in equality and who does not believe in/use stereotypes. Examples such as gender, binary, nonbinary, male/female etc.)

 

 ...they/their/them...

Pehesis
38 posts

Geek


  #1491985 14-Feb-2016 11:50
Send private message

gundar:

 

Okay, I've done some more reading and realise I asked a very vague question, to start.

 

We have a globally unique AD and internal DNS name. We are using private IPv4 address space (IPv6 is native here, so that will be deployed soon). I realise I can create my own internal CA and I realise this is not easy if done correctly, so I suppose I should have asked - has anybody used a public CA for internal use before? There are advantages to this and the cost is really low, in my opinion, but $500 is still not to be baulked at.

 

We do have external business partners, an extensive VPN and the providers of 'Intranet CA' services have large insurance and assurance guarantees...

 

TL;DR Have you used a public CA for internal use only certificates before in a mixed Linux/Windows environment?

 

 

 

 

I currently use a public CA for internal use only certificates in a mixed environment with no probs. I use startssl.com on their free service for class 1 certs however for 60 buck a year you can have unlimited domains and class 2 certs

Create new topic





News and reviews »

Samsung 9100 Pro NVMe SSD Review
Posted 11-Apr-2025 13:11

Motorola Announces New Mid-tier Phones moto g05 and g15
Posted 4-Apr-2025 00:00

SoftMaker Releases Free PDF editor FreePDF 2025
Posted 3-Apr-2025 15:26

Moto G85 5G Review
Posted 30-Mar-2025 11:53

Ring Launches New AI-Powered Smart Video Search
Posted 27-Mar-2025 16:30

OPPO RENO13 Series Launches in New Zealand
Posted 27-Mar-2025 05:00

Sony Electronics Announces the WF-C710N Truly Wireless Noise Cancelling Earbuds
Posted 26-Mar-2025 20:37

New Harman Kardon Portable Home Speakers Bring Performance and Looks Together
Posted 26-Mar-2025 20:30

Data Insight Launches The Data Academy
Posted 26-Mar-2025 20:21

Oclean AirPump A10 Portable Water Flosser Wins iF Design Award 2025
Posted 20-Mar-2025 12:05

OPPO Find X8 Pro Review
Posted 14-Mar-2025 14:59

Samsung Galaxy Ring Now Available in New Zealand
Posted 14-Mar-2025 13:52

2degrees Announces Partnership With AST SpaceMobile and Plans for NZ Launch
Posted 11-Mar-2025 10:05

Samsung Introduces New Galaxy A56 5G, Galaxy A36 5G and Galaxy A26 5G
Posted 9-Mar-2025 12:18

Cricut Unveils the Next Generation of Smart Cutting Machines
Posted 9-Mar-2025 12:06








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright