Do you setup SSL for Intranet websites only

FiyaFly

I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.

black3dynamite

@fiyafly said in Do you setup SSL for Intranet websites only:

I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.

Here’s a few sites I’ve been using to setup a local CA.

This one is pretty basic.
https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

https://devcentral.f5.com/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

scottalanmiller

@jaredbusch said in Do you setup SSL for Intranet websites only:

@black3dynamite said in Do you setup SSL for Intranet websites only:

Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

That is not self signed. That is signed by a trusted (local) CA.

I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.

JaredBusch

@scottalanmiller said in Do you setup SSL for Intranet websites only:

@jaredbusch said in Do you setup SSL for Intranet websites only:

@black3dynamite said in Do you setup SSL for Intranet websites only:

Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

That is not self signed. That is signed by a trusted (local) CA.

I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.

A local CA, is nothing like a system generating a basic self signed cert.

A local CA can (more) easily be trusted by all browsers on the network.

Self-signed certs would all have to be individually trusted.

Donahue

are there any good articles on how to create a local CA?

black3dynamite

@donahue said in Do you setup SSL for Intranet websites only:

are there any good articles on how to create a local CA?

https://mangolassi.it/topic/18175/do-you-setup-ssl-for-intranet-websites-only/22

The second link one is an updated version based on the third link.

Obsolesce

@dustinb3403 said in Do you setup SSL for Intranet websites only:

Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?

You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.

You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:

    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
    deny all;

It will not proxy anything unless it comes from an internal IP.