Public key infrastructure and applications accessed via https


I am looking to stand up a PKI in a few months and have a general question. I have many internal applications that have a web GUI accessible by HTTPS via DNS name.

Let's say my company is  We access and and accept the certificate error that is displayed on IE.
I want this error to go away because it is teaching users the wrong thing to do by just bypassing an SSL certificate warning.

With a PKI what kind of certificate would be issued to the application server? Is it called a server cert? Or do I have to make the application servers a subordinate CA?
Will the clients need to have the PKI root cert installed onto their trusted cert authority store?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
two possible types - wildcard (* or SAN (list of hosts) would both work. internal issue would require the CA cert for your CA be on each host, but if you bought a commercial wildcard, you could use it for your web facing webservers, smtps (email tls) and your internal app servers too - might be much easier  :)
trojan81Author Commented:

the internal CA cert can be rolled out to windows workstations via gpo so I am not too concerned about that.  
wouldn't it be a huge security concern to use a wildcard cert for everything? If it were that easy i think a lot of organizations would not bother purchasing individual certs or SAN certs or even go through the trouble of standing up a PKI.
Dave HoweSoftware and Hardware EngineerCommented:
not sure why that would be a security concern?

The usual reasons why sites may use an internal CA are that their internal domain may not match (I have lost track of how many sites went with the ms "example" of sitename.local, then found out that commercial CAs won't issue for .local any more) that they want to save the expense of a wildcard cert, that some software doesn't accept a wildcard at all (we had that issue with citrix clients, a few years ago) or simply that they want to issue certs with a 10 year expiry and not have to worry about cert management, ever (because it is extremely unlikely you will still be using the same servers or devices ten years from now). So plenty of legitimate reasons to not use a wildcard, but security really isn't one of them :D

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trojan81Author Commented:
thanks dave!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.