SSL Certificates For Intranet Sites? 286
wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."
Private Certificate Authority (Score:5, Informative)
Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.
Wildcard cert (Score:1, Informative)
*.internal.example.com
Inexpensive 3rd Party Solution (Score:4, Informative)
https://www.startssl.com/ [startssl.com]
An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.
Is free cheap enough? (Score:5, Informative)
http://startssl.com/ [startssl.com]
Internal CA (Score:1, Informative)
If the machines are windows based and reside on a domain then Group Policies can push out these certs rather nicely.
Even non-windows machines - you can script the certificate update via logon script. I do this in my own domain I have setup for issue reproduction purposes.
It is rather simple.
Re:Private Certificate Authority (Score:0, Informative)
Sadly though this is the only way to secure at a low cost. A PKI is not a small feat either, but it is something that you should be using. Not only for web traffic either, a PKI is useful for a lot of things (VPN, RDP, EFS). Plus you can publish through AD DS and this becomes very simple to update and maintain.
Re:Private Certificate Authority (Score:5, Informative)
Solution for windows and IE (Score:2, Informative)
Re:Private Certificate Authority (Score:5, Informative)
Re:Private Certificate Authority (Score:5, Informative)
TinyCA2 [sm-zone.net] is rather easy to use.
Re:Private Certificate Authority (Score:3, Informative)
Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec working. From a browser perspective, most if not all Windows browsers rely on the platform's cryptography infrastructure, so there's no need to install the certificates in each browser.
Unfortunately, while the Microsoft CA is relatively easy to use, using it for anything non-trivial requires the Enterprise or Datacenter edition of Windows Server. This is because you can't modify the certificate templates on lesser editions, and you need those to set up specialized certificates for, say, Configuration Manager.
If you're manually distributing certificates in any Windows infrastructure, you're doing it wrong.
PKI in a web page (Score:2, Informative)
Re:Private Certificate Authority (Score:3, Informative)
that don't involve manually distributing your certificates and CRL to every workstation in the company
So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.
Re:Private Certificate Authority (Score:2, Informative)
Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)
As soon as a new pc joins the domain, the internal CA root cert is installed.
Re:Private Certificate Authority (Score:2, Informative)
Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.
Re:Private Certificate Authority (Score:5, Informative)
If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...
Re:Private Certificate Authority (Score:3, Informative)
If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.
Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).
The cost is that of another server (or a few servers for a large organisation).
Re:ssh tunnel (Score:1, Informative)
PuTTY FTW.
Re:Private Certificate Authority (Score:4, Informative)
You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.
Re:Private Certificate Authority (Score:5, Informative)
Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)
For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.
Re:Private Certificate Authority (Score:3, Informative)
Re:Is free cheap enough? (Score:2, Informative)
If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.
If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.
Either way, the browser will trust the cert without warnings.
Yes, it will be more transparent to the user than using a self-signed certificate. Self-signed certificates present scary warnings, as they are not signed by a trusted CA. StartSSL-issued certs are trusted by many browsers. See http://www.startssl.com/?app=40 [startssl.com]
StartSSL certs are accepted without warnings by Android and iPhone.
Re:Private Certificate Authority (Score:3, Informative)
It's impolite, but the truth. If your job entails running a company's computer systems, you should already know (or be able to Google) the fact that you either have to pony up for SSL certs or generate and distribute your own. There is no in between. In systems administration, the question of "how do we solve this?" is almost always answered by "rolling our own" or "paying someone".