Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

Topic # 191668 11-Feb-2016 22:32
Send private message

Hi

 

I went to install a piece of software today that specifically wants a trusted browser experience even though it's an internally used piece of software, connecting to an internal only system. I'm not very certificate savvy and this is a demonstration and an isolated test domain, but I gathered I'd have to create a CA service in my test domain and issue all the test servers certificates. This is obviously a bit of extra work, but achievable - my experience here is to stumble through a HOWTO document and get it done.

 

While looking for a HOWTO that encompasses both Ubuntu and Windows use cases, I came across more and more articles and blog posts that suggested the new way to have an internal CA is to pay for the service and have it hosted even though the certificates are for internal use only. I suppose I misunderstand or the way this is done has now changed since I last had a task like this so let me paint a picuture and hopefully somebody can point me in the right direction...

 

I am working on an internal only project that will essentially renew an infrastructure, so I don't mind rebuilding lots of servers. There is a mixed batch of technologies: Windows, Linux and some hardware devices. There is also a front end that has some externally facing services, web, email, etc. All of this typical I think.

 

I want the internal services like intranets, web management of hardware and this piece of software to trust all other internal devices and platforms.

 

Are there advantages or glitches that you may have come across having an internal use CA hosted? Does this make sense? How does Active Directory deal with the CA being hosted externally? Security considerations?

 

I'm not shy of hard work or research, but I wanted to get some opinions on the direction I should be looking at before I hit these big manuals.

 

Your thoughts here are much appreciated.

 

 

 

Gund

 

 


Create new topic
77 posts

Master Geek
+1 received by user: 17


  Reply # 1491432 12-Feb-2016 22:10
One person supports this post
Send private message

Internal Cert Authorities are a pain in the [backside] to set up and maintain so you need to be sure that the application requires certs from all the machines accessing it.

 

The benefits of an internal cert authority is the ability to have all computers trust each other but it only works for applications that can request for certificates. Ie generating a certificate for an intranet server isnt beneficial unless you are hosting it via HTTPS. And then the only benefit of hosting it on https for an internal network is to secure traffic flow between client and server. Not a high security risk for traffic within internal systems only.

 

CAs require some hefty setup and thought and it might just be slightly overkill for what you are wanting to do. If you want 1 server to be trusted amongst all PCs in the domain just get it to generate a self signed cert and put it in the trusted root via Group Policy. Then all PCs (within the domain) will trust that server.

If however you are still determined (to set it up in your test domain) then there are a few guides out there that will run you through the process. Essentially you create a Root Auth server (non domain joined), get it to generate a self signed cert as root. Create an Enterprise Cert Auth (domain joined), get it to be intermediate root with the cert generated by the root auth. Add both these certs into your Group Policy (trusted root and intermediate root auth). Now you can create domain certs for nearly any user or device that is domain joined and they will all be trusted within the domain. An internal cert will not work like one generated by a public cert auth (ie Thawte etc) in the public space. NOTE! once again this is only beneficial for applications that request a cert. If the app doesnt use a cert at all (ie intranet on HTTP vs HTTPS) then all of this work will be for naught.




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1491446 12-Feb-2016 23:02
Send private message

Thanks for the thoughts, this is to test a potentially large deployment and there will be multiple points of administration. I guess in the long run, I want administrators not to be faced with trusted browser errors, but also tools and utilities like HPs Insight Manager should not have toruble connecting to other pieces of hardware or supporting services. There is not a lot of in depth detail that I can find, but I suspect that I am asking the question the wrong way as I have little experience and knowledge in this area and I am in a country where everybody does not speak English, so I have my new broken language, plus the Internet as support...

 

The service I want to potentially deploy is Ubuntus Landscape (or similar) and HPs Insight Manager. Each of these requires SSL between themselves and the devices they manage, without good SSL, there are problems and manual intervention is required. This site also has an Active Directory deployment. I am trying to find one solution that fits all and it seems that I can get an externally provisioned certificate that can be deployed internally. I would, it seems, buy this certificate as a wildcard in the name of the internally used domain and deploy it to devices and services internally, but allow external lookups. There are a number of online services that offer this type of service for this particular application, has anybody done this before? I know the model used to be to use internal CA services.

 

TL;DR Have you used an external provider for internally used certs before?


 
 
 
 


gzt

9397 posts

Uber Geek
+1 received by user: 1364


  Reply # 1491454 12-Feb-2016 23:34
Send private message

Ok, I will put toes in the fire ; ).

CA for test purposes in test domain is simple enough. Install certificate services, request certificate, issue certificate.

Outside a test domain environment also simple but so many things to discuss it is a long list.

I will guess the move toward hosted CA is mostly a result of phase out of externally verified internal name certificates.

I assume the certificate is used for server identification and the main purpose is transport encryption?

TL;DR Have you used an external provider for internally used certs before?

Disclaimer, no. My experience is limited to using externally issued certificates and installing and using internal test domain test CA etc.

469 posts

Ultimate Geek
+1 received by user: 99

Subscriber

  Reply # 1491455 12-Feb-2016 23:38
Send private message

The question would be what cert store do the applications use. On windows they should use the certutil but it is anyones guess what uses what. On linux it is a bit more complex as there are a few different cert stores https://curl.haxx.se/docs/ssl-compared.html lists a few. NSS is rather common and is used by chrome. https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md tells you how to install them into the store. But firefox for example keeps its own seperate store 

 

You can script both NSS and certutil without to much issue to install your CA. And on windows you can even create an install wizard to do this rather easily.

 

As for the external CA idea yes it would take out most of the issues with having to install CA's however some servers are rather strict and only allow from some vendors. You will need a fully qualified domain name so if you want to do anything via IP address then you will be out of luck and even if you could there may still be issues for example safari will just fail unless you have IP:// at the start of the address so you have to serve 2 different certs. You also need to remember that if you use one cert on multi servers if one is hacked you will need to update every server with a new cert again.





Geoff E

gzt

9397 posts

Uber Geek
+1 received by user: 1364


  Reply # 1491458 12-Feb-2016 23:47
One person supports this post
Send private message

Ok, thought I was responding to the first post. I missed that entirely. Random follow up. Are client certificates required for that set up? Ie; do clients need to individually request and be issued a cert from the CA to use in uniquely identifying themselves to the server?

13555 posts

Uber Geek
+1 received by user: 2321

Trusted
Subscriber

  Reply # 1491473 13-Feb-2016 07:30
One person supports this post
Send private message

Could you use Let's Encrypt, the new free CA? I'm using it for my public websites. The domains are made public, and to issue the certificate they need to be on the internet while the certificate is being issued (every 3 months). Probably not a viable solution but worth mentioning.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


1507 posts

Uber Geek
+1 received by user: 213


  Reply # 1491478 13-Feb-2016 08:24
Send private message

If it is likely to be a used business site, I would spend a little on a public cert. Going through all the setup for a CA for one application is killing a fly with a shotgun. A self signed cert distributed to all test PC's is fine if it is a test network, but if it goes live in that state it will rapidly become a pain in the buttocks to manage (I have encountered more than a couple of business apps that do this however...ughyell). I would fork out for a public cert and put it on. You can get cheap ones which will work fine.

 

I haven't used lets encrypt, but I have tried other free certs and they are painful to set up and maintain. Lets encrypt may be better. We use Digicert at work and have never had an issue with the support or the certs. There was a thread on here a while ago with different SSL providers too.

 

https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx for example ,US$9 per year for a single site. If the app needs multiple subdomains a wildcard is only US$94 per year or listed names is US$30. Not recommending them as I haven't used them personally, just using them for a price comparison.





Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B


13555 posts

Uber Geek
+1 received by user: 2321

Trusted
Subscriber

  Reply # 1491491 13-Feb-2016 09:15
Send private message

I have a tutorial on setting up Let's Encrypt, it's pretty easy. I prefer not to link directly but if you PM I can send it to you.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


What does this tag do
921 posts

Ultimate Geek
+1 received by user: 185

Subscriber

  Reply # 1491493 13-Feb-2016 09:21
Send private message

Key advantage of internal CA is it is free, and you can create as many certs as you need, with nice long expiries (5 or more years).

 

Managing browser trust issues with Chrome/IE it isn't too bad as domain PCs can be configured to trust the CA. Firefox is a different story, but simple enough for them to install the root cert once on Firefox if using.

 

Yes you could share a publicly signed wildcard cert, the downside is there is only one private key so if you lose control of the key and can no longer trust the certificate you will have to replace this cert everywhere. There are exceptions to this, I know Digicert allows you to generate unlimited key pairs which would mitigate that risk.

 

Active directory itself doesn't require a CA so it doesn't mind.

 

I'm not sure if it is possible to buy certs for non publicly resolvable domain names now, i.e. geekzone.co.nz OK but not geekzone.local so that will impact too.

 

 

 

 




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1491865 14-Feb-2016 00:08
Send private message

Okay, I've done some more reading and realise I asked a very vague question, to start.

 

We have a globally unique AD and internal DNS name. We are using private IPv4 address space (IPv6 is native here, so that will be deployed soon). I realise I can create my own internal CA and I realise this is not easy if done correctly, so I suppose I should have asked - has anybody used a public CA for internal use before? There are advantages to this and the cost is really low, in my opinion, but $500 is still not to be baulked at.

 

We do have external business partners, an extensive VPN and the providers of 'Intranet CA' services have large insurance and assurance guarantees...

 

TL;DR Have you used a public CA for internal use only certificates before in a mixed Linux/Windows environment?


13555 posts

Uber Geek
+1 received by user: 2321

Trusted
Subscriber

  Reply # 1491892 14-Feb-2016 07:34
Send private message

I've never done a certificate request for an internal only server, but it should be pretty straightforward shouldn't it? Generate the request, get the certificate, install the certificate. Not sure why it'd cost $500.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


gzt

9397 posts

Uber Geek
+1 received by user: 1364


  Reply # 1491977 14-Feb-2016 11:17
Send private message

Public CAs now refuse to issue certificates with internal names:

http://www.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know

Ie; Internal names are not unique and therefore easily impersonated. Ie; breaks server identification.

If you have a public domain name then wildcard certificate is one way to achieve, because sub domains are automatically covered. However, wildcard certificates give you the opposite problem because now all machines on that domain are could potentially provide a service and no-one is the wiser. Tldr; for external certificate use FQDN is required and good practice.

1203 posts

Uber Geek
+1 received by user: 111


  Reply # 1491982 14-Feb-2016 11:43
Send private message

On my developer machine I run Hyper-V which allows me to create virtual networks and virtual machines - doing this I can model aspects of enterprise infrastructure such as domain controllers, mail server, certificate servers, web servers and appropriate client setups. Using isolated virtual networks I can then version that infrastructure to try different things out. It is all done in isolation so I don't have any impact on the domain or network that my developer machine is connected to.

 

In my [windows] development domain I have certificate services installed. This allows me to create root certificates that have a complete chain and are trusted - the only thing is that they are not usable outside of my development environment.

 

 

 

 





Software Engineer

 


38 posts

Geek
+1 received by user: 7


  Reply # 1491985 14-Feb-2016 11:50
Send private message

gundar:

 

Okay, I've done some more reading and realise I asked a very vague question, to start.

 

We have a globally unique AD and internal DNS name. We are using private IPv4 address space (IPv6 is native here, so that will be deployed soon). I realise I can create my own internal CA and I realise this is not easy if done correctly, so I suppose I should have asked - has anybody used a public CA for internal use before? There are advantages to this and the cost is really low, in my opinion, but $500 is still not to be baulked at.

 

We do have external business partners, an extensive VPN and the providers of 'Intranet CA' services have large insurance and assurance guarantees...

 

TL;DR Have you used a public CA for internal use only certificates before in a mixed Linux/Windows environment?

 

 

 

 

I currently use a public CA for internal use only certificates in a mixed environment with no probs. I use startssl.com on their free service for class 1 certs however for 60 buck a year you can have unlimited domains and class 2 certs


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28


Vocus Communications wins a place on the TaaS panel
Posted 26-Jan-2018 15:16


SwipedOn raises $1 million capital
Posted 26-Jan-2018 15:15


Slingshot offers unlimited gigabit fibre for under a ton
Posted 25-Jan-2018 13:51


Spark doubles down on wireless broadband
Posted 24-Jan-2018 15:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.