ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Do you setup SSL for Intranet websites only

    IT Discussion
    ssl internal websites
    10
    27
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DustinB3403 @Donahue
      last edited by

      @donahue said in Do you setup SSL for Intranet websites only:

      I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.

      That's my stance as well.

      1 Reply Last reply Reply Quote 0
      • B
        black3dynamite
        last edited by black3dynamite

        Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

        J 1 Reply Last reply Reply Quote 0
        • D
          dbeato
          last edited by

          In a windows environment with AD I setup a domain CA and all the servers and devices get an internal SSL that is trusted by the devices joined to the domain. That's the only use I do for internal SSLs but it takes some time to setup though.

          1 Reply Last reply Reply Quote 1
          • J
            JaredBusch @black3dynamite
            last edited by

            @black3dynamite said in Do you setup SSL for Intranet websites only:

            Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

            That is not self signed. That is signed by a trusted (local) CA.

            S 1 Reply Last reply Reply Quote 0
            • F
              FiyaFly
              last edited by

              I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.

              B 1 Reply Last reply Reply Quote 0
              • B
                black3dynamite @FiyaFly
                last edited by

                @fiyafly said in Do you setup SSL for Intranet websites only:

                I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.

                Here’s a few sites I’ve been using to setup a local CA.

                This one is pretty basic.
                https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

                https://devcentral.f5.com/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

                https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

                1 Reply Last reply Reply Quote 1
                • S
                  scottalanmiller @JaredBusch
                  last edited by

                  @jaredbusch said in Do you setup SSL for Intranet websites only:

                  @black3dynamite said in Do you setup SSL for Intranet websites only:

                  Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

                  That is not self signed. That is signed by a trusted (local) CA.

                  I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    JaredBusch @scottalanmiller
                    last edited by

                    @scottalanmiller said in Do you setup SSL for Intranet websites only:

                    @jaredbusch said in Do you setup SSL for Intranet websites only:

                    @black3dynamite said in Do you setup SSL for Intranet websites only:

                    Self-signed isn't too bad if you have a way to install your own Root CA to the computers.

                    That is not self signed. That is signed by a trusted (local) CA.

                    I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves.

                    A local CA, is nothing like a system generating a basic self signed cert.

                    A local CA can (more) easily be trusted by all browsers on the network.

                    Self-signed certs would all have to be individually trusted.

                    1 Reply Last reply Reply Quote 2
                    • D
                      Donahue
                      last edited by

                      are there any good articles on how to create a local CA?

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        black3dynamite @Donahue
                        last edited by black3dynamite

                        @donahue said in Do you setup SSL for Intranet websites only:

                        are there any good articles on how to create a local CA?

                        https://mangolassi.it/topic/18175/do-you-setup-ssl-for-intranet-websites-only/22

                        The second link one is an updated version based on the third link.

                        1 Reply Last reply Reply Quote 1
                        • O
                          Obsolesce @DustinB3403
                          last edited by

                          @dustinb3403 said in Do you setup SSL for Intranet websites only:

                          Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?

                          You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.

                          You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:

                              allow 10.0.0.0/8;
                              allow 172.16.0.0/12;
                              allow 192.168.0.0/16;
                              deny all;
                          

                          It will not proxy anything unless it comes from an internal IP.

                          1 Reply Last reply Reply Quote 2
                          • 1
                          • 2
                          • 2 / 2
                          • First post
                            Last post