Do you setup SSL for Intranet websites only
-
This post is deleted! -
@jaredbusch said in Do you setup SSL for Intranet websites only:
Or you buy long term certs (or a wildcard) form someplace and use that. That at least only needs configured once every year or two.
But then you're still left with "is it worth paying for?"
There are clients out there that will automate the DNS checks and such for you if your DNS provider has an API. I've got one I'm testing now, but I just ran across it a day or so again. If it works well, I'll post it.
-
Or you use self signed certs.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
-
Sometimes we do, sometimes we don't... great answer right?
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
Its' so easy to do, why not?
Is it necessary? No. But the effort is so small, might easily be worth it.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
Its' so easy to do, why not?
Is it necessary? No. But the effort is so small, might easily be worth it.
Self-signed or horrid. Because your browser does not trust them and you have to click through warnings. you don't want to be in that habit.
-
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
-
@donahue said in Do you setup SSL for Intranet websites only:
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
That's my stance as well.
-
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
-
In a windows environment with AD I setup a domain CA and all the servers and devices get an internal SSL that is trusted by the devices joined to the domain. That's the only use I do for internal SSLs but it takes some time to setup though.
-
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
-
I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.
-
@fiyafly said in Do you setup SSL for Intranet websites only:
I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.
Here’s a few sites I’ve been using to setup a local CA.
This one is pretty basic.
https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
-
@jaredbusch said in Do you setup SSL for Intranet websites only:
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
@jaredbusch said in Do you setup SSL for Intranet websites only:
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.
A local CA, is nothing like a system generating a basic self signed cert.
A local CA can (more) easily be trusted by all browsers on the network.
Self-signed certs would all have to be individually trusted.
-
are there any good articles on how to create a local CA?
-
@donahue said in Do you setup SSL for Intranet websites only:
are there any good articles on how to create a local CA?
https://mangolassi.it/topic/18175/do-you-setup-ssl-for-intranet-websites-only/22
The second link one is an updated version based on the third link.
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?
You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.
You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:
allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all;
It will not proxy anything unless it comes from an internal IP.