Forgot your password?
typodupeerror
Encryption Security IT

SSL Certificates For Intranet Sites? 286

Posted by kdawson
from the matter-of-trust dept.
wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."
This discussion has been archived. No new comments can be posted.

SSL Certificates For Intranet Sites?

Comments Filter:
  • by LostOne (51301) * on Tuesday November 23, 2010 @11:31AM (#34317954) Homepage

    Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

    • by Anonymous Coward on Tuesday November 23, 2010 @11:32AM (#34317978)

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      • by Anonymous Coward on Tuesday November 23, 2010 @11:35AM (#34318012)

        Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

        Damn, over in two posts.

      • by pla (258480) on Tuesday November 23, 2010 @11:42AM (#34318102) Journal
        Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

        FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

        Before snarking on the FP author, perhaps you should actually read the FP's question?
        • by Yaa 101 (664725) on Tuesday November 23, 2010 @11:52AM (#34318256) Journal

          Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

          The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

          I do not know any other way to do this automatically.

          • by Yaa 101 (664725)

            A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

            • Re: (Score:3, Insightful)

              by apparently (756613)

              A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

              That only works if you're also fine with local users having the privileges to install software on their workstations. So you're only trading one security issue for another.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

            As soon as a new pc joins the domain, the internal CA root cert is installed.

            • Yeah, but then you have to use IE.
              • AD's set of default group policy templates only makes it trivial for IE; but you can also impose login, logoff, startup, shutdown, and a bunch of other locations for running arbitrary scripts/programs.

                Most browsers, and any other programs that have SSL-related business, either store their set of trusted certs/authorities as a set of certificate files in some reasonably easily discoverable directory or piggyback IE's settings. If the former, you just execute a trivial file-copy script via group policy any
            • by Anonymous Coward on Tuesday November 23, 2010 @12:36PM (#34319026)

              Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

              For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

          • by wkk2 (808881)

            Get a low cost email certificate, create a self signed root certificate authority (best done on a smart card or other protected hardware) and distribute your root certificate via signed email.

            Many appliances don't have an API for anything except an internally self signed certificate. So in many cases you will be stuck with the warnings.

          • Re: (Score:2, Interesting)

            by ayvee (1125639)
            This may be noobish, but is there some way to set up a certificate authority, have its verification key (V) be publicly available from a website or something, and have V signed by (say) Verisign?
          • by TheLink (130905) on Tuesday November 23, 2010 @01:58PM (#34320372) Journal

            Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

            And there's the big difference.

            The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

            No, the way to do what the main requester wants is to get a free cert whose CA is recognized by most popular browsers. You can get some from: http://www.startssl.com/ [startssl.com]
            Their "product" comparison: http://www.startssl.com/?app=40 [startssl.com]

            You might be able to get free certs from elsewhere.

            Apparently some sites sell rapidssl wildcard certs for cheap. I can't remember which ones. Can't find them via Rapidssl's own website for some reason ;).

            You have to understand the truth of the matter. Most people dealing with https don't really care that much about security. All they want is not to have those scary browser warnings.

            If they really cared about security they would realize that most popular browsers by default do not warn you if a site's CA has changed, or a server cert has changed rather prematurely (I use certificate patrol for that). And that as long as this remains true, all the talk about https security is just talk.

            So people should just solve the submitters problem, and implying he's incompetent or even calling him incompetent. Because how many of you are relying on https to keep stuff safe and have CA certs in your browser from CA's you do not trust?

            FWIW how many of you really trust Verisign? Stick your hand up if you're that incompetent ( http://en.wikipedia.org/wiki/Verisign#Controversies [wikipedia.org] ). Guess who signs zillions of certs though, and what happens if you don't tell the browser to trust Verisign's certs. Guess who signed a fake Microsoft's cert? http://www.cert.org/advisories/CA-2001-04.html [cert.org]

            So just accept that those certs are mainly to make people feel safe and make the browser warnings go away.

            • by TheLink (130905)
              Oops I meant to type: "and stop implying he's incompetent". Somehow the stop got deleted...
        • by apparently (756613) on Tuesday November 23, 2010 @11:57AM (#34318338)

          FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks." Before snarking on the FP author, perhaps you should actually read the FP's question?

          So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?"
          Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow.

        • by chill (34294)

          I interpreted "manually distributing your certificates and CRL" as "walking it around".

          He could e-mail the cert to everyone with instructions to have them install it.

          He could also push a customized version of IE or Firefox with the cert and CRL already in the store.

          • by alta (1263)

            NO kidding... so many ways to do this...

            Even if he's running linux clients there's tons of way to have the clients do this, even if it's as low tech as'

            Everybody copy and paste this into a terminal

            yum install -y http://intranetserver/company-certs.rpm [intranetserver]

        • Re: (Score:3, Informative)

          by ImprovOmega (744717)

          that don't involve manually distributing your certificates and CRL to every workstation in the company

          So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.

        • Re: (Score:2, Informative)

          by Provos (20410)

          Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.

        • by Xonstantine (947614) on Tuesday November 23, 2010 @12:12PM (#34318594)

          If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

        • Re: (Score:3, Informative)

          by KevMar (471257)

          If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.

          Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).

          The cost is that of another server (or a few servers for a large organisation).

        • by rickb928 (945187)

          We don't manually distribute certificates or CRLs here. Software distribution for all other purposes also serves that one.

          Being snarky and encouraging the poster to indulge in a more fully-featured systems management environment is appropriate here. If you want to leave the porch, you'll have to run like a big dog... Otherwise, stay home.

        • by Minwee (522556)

          Remotely update large numbers of workstations without having to sit at every desk in the company is just one of those things that sysadmins do. If you can't do that then you should focus on learning how to do it first and worry about how SSL certificates work later.

        • If it's a Microsoft shop, you set up a Certificate Authority (free) and distribute it to clients via Group Policy. Done. No manual distribution.

        • Re: (Score:3, Informative)

          by Eil (82413)

          It's impolite, but the truth. If your job entails running a company's computer systems, you should already know (or be able to Google) the fact that you either have to pony up for SSL certs or generate and distribute your own. There is no in between. In systems administration, the question of "how do we solve this?" is almost always answered by "rolling our own" or "paying someone".

      • Haha, hilariously true.

        I knew nothing about certificate's, certificate authorities, certificate servers and running your own private certificate authority, but I was curious.. (This was as I read the original question, before the comments) so I went to wikipedia and spent about 2 minutes reading about SSL certificates until I started reading http://en.wikipedia.org/wiki/Certificate_server [wikipedia.org], and noticed the Open Source Implementations part...

        Immediately I thought, "Why can't you just run your own certificate

        • When did asking a question cease to be a valid method of finding things out?

          I mean, it's great that you can find information like this from Google or Wikipedia, but it can be a risky strategy, and you might end up following a howto that results in a non-optimal implementation, or lacks crucial information, or doesn't adequately detail the pitfalls of a particular method. Or maybe you're like me, and sometimes you just can't think of the right search terms to use.

          I would have thought that Slashdot would be

      • Which is actually Redundant as the OP question specified

        Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company?

      • by MrMarket (983874)

        Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

        You are assuming that this is a centrally controlled provisioning environment. This does not work in a setting where people bring their own computers - like in a university classroom.

        BTW - why are you such an @sshole? The whole point of ask slashdot is to generate discussion about how to solve problems - not attract personal character attacks from ACs.

    • Re: (Score:3, Insightful)

      by amorsen (7485)

      The available certificate servers which are Free Software tend to be rather user-unfriendly. Maintaining certificate revocation lists and handling certificates for different purposes (mail, web, code, client authentication, vpn...) are needlessly time-consuming chores. Obviously any competent system administrator can script their way out of it, but in this case it is a rather large effort.

      I would be very happy to hear about an easier solution.

    • by Trevelyan (535381) on Tuesday November 23, 2010 @11:46AM (#34318180)
      10secs of googling gave me this:
      • Can confirm, if they're MS machines in a domain with active directory this is free and simple.
      • Thanks for the links, very informative. I have the same basic question as the submitter but with a slight variation: Do the certs get installed on the computer or printer if you want to make the https web management feature not give you that warning?
    • It's what my company does, and it works great. Except those of us that use Firefox. (Though that wouldn't be a problem if the security dept. supported non-IE browsers.

      • by Bengie (1121981)

        Chrome mirrors my Windows certs, just like IE does. Why doesn't FireFox do this?

        Just seems like FF doesn't want to be used in the enterprise.

        I don't use FF, so I probably don't know how to set this up, but really, why should you have to jump through hoops? Should be defaulted on.

    • by rjstanford (69735)

      Why go to the trouble? Buy a single wildcard cert from RapidSSL (they're not expensive), and install it everywhere. Just sayin'.

    • Re: (Score:3, Informative)

      Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec

    • by SIGBUS (8236)

      Not only that, but if you're don't feel like using using the OpenSSL command line, you could always use a GUI front-end like TinyCA [sm-zone.net] to make life easier. On Ubuntu, it's available prepackaged.

    • by sprior (249994)

      Anyone figure out how to add certificates or authorities on Android?

  • by schi0244 (1198521) on Tuesday November 23, 2010 @11:35AM (#34318018)

    https://www.startssl.com/ [startssl.com]
    An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

    • by bunratty (545641)
      Whoa! Now if only there were a way to set up my website so all traffic would be encrypted so FireSheep attacks wouldn't work, that would be even better! Does anyone know how I could do that?
      • by berwiki (989827)
        a proxy outside your network would work.
        it's not like firesheep is a new concept or anything, just a tool that makes it even easier to snoop than before.
    • by yakatz (1176317)
      I use StartSSL for tens of certificates on all manner of internet and intranet sites.
      I had to install their root certificate on Windows 2000, but any computer that gets regular windows updates should have had it since last year.

      They don't charge for certificates, they charge for work a person has to do: verifications.
      Meaning, if they have to call you, it will cost, but you can get regular certificates for free.
      • by nabsltd (1313397)

        I use StartSSL for tens of certificates on all manner of internet and intranet sites. I had to install their root certificate on Windows 2000, but any computer that gets regular windows updates should have had it since last year.

        I'll jump on the StartSSL praise train, too. For $50/year, you get unlimited SSL certs for any domain you control, or personal authentication certs (i.e., e-mail) for any e-mail address you control. The certs can include wildcarding, multiple domains per cert, and lots of other features that other CAs charge an arm and a leg for.

        I noticed that I had to install their CA cert when I was using their completely free certs, but their class 2 certs were issued by a different CA that was already in IE and Firefo

      • Again, another fan of StartSSL. User of both server certs and client certs for personal and business use. Their cost model is much more inline with reality than Verisign or the others... Plus, EV certs if you need them.
  • by jandrese (485) <kensama@vt.edu> on Tuesday November 23, 2010 @11:35AM (#34318020) Homepage Journal
    Every browser has a way to store the security exceptions so that you don't get that warning every time. Just set the box up on a private network the first time to avoid a MitM attack and store the cert. If you ever get another warning about an untrusted cert from the box, then you might have a MitM attack going on, but otherwise if the cert matches you're fine.

    You could also set up your own local root authority (most larger companies do this) and make your own certs.
    • by KevMar (471257)

      Check the name on the cert. if it is self signed, then you just have to deal with it. But if it is root signed, look at the site name. If you can find a way to use that site address to access the device then you will not get prompted.

      My home router has a valid cert, but I would use the ip address and get prompted every time. I ended up making an entry in my host file for "linksys" at that address. Now when I go to https://linksys/ [linksys] everything is ok.

      At the end of the day, remember the whole reason these d

    • by jdew (644405)

      HP lights out boards don't retain the self generated cert between power failures. So when power returns you get a different cert, and the exception now needs to be removed and readded.

  • by multipartmixed (163409) on Tuesday November 23, 2010 @11:36AM (#34318028) Homepage

    http://startssl.com/ [startssl.com]

    • by miaDWZ (820679) *

      http://startssl.com/ [startssl.com]

      mod parent up - great service.

    • I do not see "startssl" listed in the list of built-in root certificates under Firefox.

      Does this mean that if third-party users access my web site, they will be "stopped" with the typical warning that the site is secured with an unknown certificate - and make them go through the ususal steps to add it, etc?

      Or will it just "work". Will they get the nice colored emblum on the address bar saying "Verified by: startssl", etc?

      In otherwords - will it be any better, or more transparent to the user than they

      • It is built into Firefox. StartSSL is where I get the SSL certificate I use for my SVN server, works great. I know the root certificate is in Firefox from at least 3.0 forward.
      • Re: (Score:2, Informative)

        by heypete (60671)

        If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.

        If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.

        Either way, the browser will trust the cert without warnings.

        Yes, it will be more transparent to the use

  • http://lmgtfy.com/?q=how+to+set+up+a+certificate+authority [lmgtfy.com] Then distribute the *organization's* cert to all the servers and clients. If you have a few clients or don't get many that fast, just do it by hand. If you have hundreds of computers or lots of turnover, you should be running central config management anyway. MIT for example distributes an MIT cert. Presto, everything on campus is protected. It's partially a question of tradeoffs: sign a cert by a CA already trusted for $$, or make your own CA
  • On window the list of CA on the machine can be centraly maneged...
  • PKI in a web page (Score:2, Informative)

    by rich_salz (612602)
    You might find my "PKI in a web page" useful. It doesn't require sending all certs to all browsers, just the one internal CA cert and includes step-by-step screenshots on how to do that. See https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10?lang=en [ibm.com]
  • Find a cheaper service. We payed something like 500 euros for a 5 year SSL certificate.

  • Go for a cheapie wildcard cert. That will cover all your intranet needs.

  • For a private (e.g., not ecommerce, banking, etc.) web site, just create a certificate authority and use self-signed certificates, and send an email to the users covering the installation of private certs in MSIE, Firefox, Chrome and Safari. Don't waste your money on a versign cert because all it does is eliminate the warning for a price, whereas your users can eliminate it for free. Why add the tracking of additional "licensing" fees to your workload?

    If it's public-facing then by all means buy the cert to

    • ... just create a certificate authority and use self-signed certificates, and send an email to the users covering the installation of private certs in MSIE, Firefox, Chrome and Safari. Don't waste your money on a versign cert because all it does is eliminate the warning for a price, whereas your users can eliminate it for free.

      Seriously? Let's assume an organization with only 100 employees. If just 10% of them require help setting this up, at say 15 minutes user time lost buggering around, plus 15 minutes support from the helpdesk, then you've lost 4.5 hours of total productivity. That covers the cost of a wildcard cert for your internal domains for a year. (Maybe not from Verisign, but certainly from someplace sane.)

      Of course, in the real world, at least half of the users won't bother installing the cert, leaving them vulner

  • by spydum (828400) on Tuesday November 23, 2010 @12:18PM (#34318684)

    Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

    I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

    • by rainer_d (115765) on Tuesday November 23, 2010 @12:42PM (#34319122) Homepage

      That's the "I'm feeling lucky" google-fed generation.
      If it's not on the first page in google results, go and ask in a forum.
      Though, that's actually old-school, sort-of - people tend to ask in their twitter feed nowadays...

    • Re: (Score:2, Interesting)

      by Gothmolly (148874)

      Its a new trend I think, fed by the chorus from management that "IT is easy" - so they find cheap talent who live by Googling answers. Nobody designs anything anymore.

    • by Aggrav8d (683620)
      Worse than crotchety.
      You're chastising someone for using every method at their disposal to learn what they need to know, while telling them they need to go figure it out for themselves.
      Your answer is akin to saying "I have enough time to answer you and yet I don't want to help you."
      Do you advocate building your own car instead of taking public transit?

      Besides! All those spoon-fed tools will need your $250/hr consultation expertise when things go wonky, right? More experts means less money in your poc
    • Next on Ask Slashdot: "In the enterprise, what is the easiest way to get spoon-fed solutions without driving away the old, crotchety guys who know the answers?"

    • "I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there."

      You mean "research" like asking questions to a knowledgeable community?

      "Am I just getting old and crotchety, or is this a new trend?"

      There's nothing new about obtuseness for its own sake, especially in the IT world. If you won't contribute anything constructive or helpful, please save yourself the effort entirely.

    • It's not really googling answers that's the problem.

      It's that people are working jobs that they have no passion for.

      When you love what you do, you want to always learn more. I've worked IT for a small company and googled a lot. I winged a lot of the job using google.. but I didn't google for forums or quick answers. I would educate myself. I would teach myself using the wealth of resources available on the internet and find I'd be able to get anything done if I put my mind to it. For the few odds and e

  • http://ejbca.sf.net/ [sf.net]

    In it's easiest form (everything on one host), it should be easy enough to implement.

  • by peacefinder (469349) <alan.dewitt@ g m a i l . com> on Tuesday November 23, 2010 @12:52PM (#34319356) Journal

    Congratulations on getting your story accepted to the front page!

    Dozens of man-hours will now be spent explaining basics of inhouse certificate authorities and self-signing, along with comments on your lack of basic research, intelligence, qualification for your position, and legitimate parentage.

  • ..that don't involve manually distributing your certificates and CRL to every workstation in the company?

    Here's where you went wrong. If you insist on keeping this constraint at any cost, then you have lost. Pay that cost (you don't get to have intranet sites) instead of getting what you want, and accept that you got the lesser of two "evils" (from a very perverted point of view).

    The main problem with looking at it that way, is that you (or someone) already did what you claim you want to avoid. Those wor

  • The biggest problem is in off-the-shelf appliances (like wifi routers) for the whole spectrum (from personal to enterprise); they don't have domain names, so you can't have an internal CA root blessing them (at least, not out of the box), and a non-enterprise location can't easily do that.

    One solution could be to bundle a CA root into the router. Initial setup would involve picking an internal TLD (with a randomly generated suggestion so we don't have everybody using "home" or "linksys"), then the CA roo

  • $400 is the price of name recognition. I use GoDaddy certs and they are 1/10 the cost. All you need for any purpose.

    For some of my stuff I use the shared cert that my host provides. Still secure but throws that bloody warning. At least firefox let's me permantely store the certificate exception.

  • First, $400 is a stupid price to pay for an SSL cert, many providers are much cheaper...

    Some cert providers (Eg startcom) will provide unlimited certs under a particular domain, so assuming you use the same domain internally its quite easy to generate more certs for the same price you paid for your external certs.

    On the other hand, if its internal to your network why don't you create an internal certificate authority and just ensure its root cert is trusted by all your devices.

  • Surfing without encryption opens you up to eavesdropping and spoofing.

    Surfing with encryption protects you from eavesdropping and spoofing.

    Surfing with a self-signed encryption protects you from eavesdropping, but not spoofing, since you don't know who the signer is.

    Yet, Firefox treats self-signed certificates as if they were worse than no encryption at all. The default behavior should be to treat self-signed certificates as if there was no encryption at all (from a user perspective). To give users these di

  • If it's an enterprise using domains, set up your own CA and create your own CA signing certificate. Push that certificate out into the root certificate bundle or database for your browsers etc., and use it to sign all your server certificates. Since browsers can validate your server certificates, they won't complain. Have the certificate available for importing into browsers that don't accept automatic pushes. That should solve the problem, at least internally.

  • Most of my company intranet is plain http. There are two parts that we encrypt with SSL. First is the optional login widget on the intranet front page. Employees can customize their front page if they choose to login, but it's not required. But since we use a single sign-in type of situation, where many services are authenticating against the same LDAP service, we feel like we should keep that password encrypted, even on pages not available to the outside world.

    The second page that is https is a web for

  • Once per browser, that is.

    My company's web-managed product just uses self-signed, with the option to add a third-party signed if the customer is willing to pay for and install it themselves.

APL hackers do it in the quad.

Working...