Do you setup SSL for Intranet websites only
-
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
-
@donahue said in Do you setup SSL for Intranet websites only:
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
That's my stance as well.
-
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
-
In a windows environment with AD I setup a domain CA and all the servers and devices get an internal SSL that is trusted by the devices joined to the domain. That's the only use I do for internal SSLs but it takes some time to setup though.
-
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
-
I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.
-
@fiyafly said in Do you setup SSL for Intranet websites only:
I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.
Here’s a few sites I’ve been using to setup a local CA.
This one is pretty basic.
https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
-
@jaredbusch said in Do you setup SSL for Intranet websites only:
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
@jaredbusch said in Do you setup SSL for Intranet websites only:
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.
A local CA, is nothing like a system generating a basic self signed cert.
A local CA can (more) easily be trusted by all browsers on the network.
Self-signed certs would all have to be individually trusted.
-
are there any good articles on how to create a local CA?
-
@donahue said in Do you setup SSL for Intranet websites only:
are there any good articles on how to create a local CA?
https://mangolassi.it/topic/18175/do-you-setup-ssl-for-intranet-websites-only/22
The second link one is an updated version based on the third link.
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?
You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.
You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:
allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all;
It will not proxy anything unless it comes from an internal IP.