I went to install a piece of software today that specifically wants a trusted browser experience even though it's an internally used piece of software, connecting to an internal only system. I'm not very certificate savvy and this is a demonstration and an isolated test domain, but I gathered I'd have to create a CA service in my test domain and issue all the test servers certificates. This is obviously a bit of extra work, but achievable - my experience here is to stumble through a HOWTO document and get it done.
While looking for a HOWTO that encompasses both Ubuntu and Windows use cases, I came across more and more articles and blog posts that suggested the new way to have an internal CA is to pay for the service and have it hosted even though the certificates are for internal use only. I suppose I misunderstand or the way this is done has now changed since I last had a task like this so let me paint a picuture and hopefully somebody can point me in the right direction...
I am working on an internal only project that will essentially renew an infrastructure, so I don't mind rebuilding lots of servers. There is a mixed batch of technologies: Windows, Linux and some hardware devices. There is also a front end that has some externally facing services, web, email, etc. All of this typical I think.
I want the internal services like intranets, web management of hardware and this piece of software to trust all other internal devices and platforms.
Are there advantages or glitches that you may have come across having an internal use CA hosted? Does this make sense? How does Active Directory deal with the CA being hosted externally? Security considerations?
I'm not shy of hard work or research, but I wanted to get some opinions on the direction I should be looking at before I hit these big manuals.
Your thoughts here are much appreciated.