kiwistag
asked on
Inhouse SSL Cert server (domain.local)
We have some network equipment inside our network (on private IP's) of which we log into often enough that we wish to get rid of the SSL error warnings by way of a trusted certificate on them.
It's been years since I last did it with Windows Server 2003/AD,
I remember that a root CA needs set up and that any computers accessing the signed child certs need the trusted root CA cert installed.
For our routers and anything public we have LetsEncrypt and issued via Linux, however obviously we can't do this internally as such (too messy having a FQDN for internal IP's).
Any info pointing to what could assist us would be appreciated.
It's been years since I last did it with Windows Server 2003/AD,
I remember that a root CA needs set up and that any computers accessing the signed child certs need the trusted root CA cert installed.
For our routers and anything public we have LetsEncrypt and issued via Linux, however obviously we can't do this internally as such (too messy having a FQDN for internal IP's).
Any info pointing to what could assist us would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi David.
So can we do it with domain.local rather than domain.net over LetsEncrypt?
So can we do it with domain.local rather than domain.net over LetsEncrypt?
Check whether letsencrypt followed other issuers to disable .local issuance.
I'm with noci, you can either setup a CA on a windows system or on a linux setup as a CA....
many devices have self-generating certs that could be valid for a decade, add the certificate as trusted on first connection, and you will not see alerts until it expires.
you could use certreq to generate requests that use Ssubject alternate name that includes various references for hostname, hostname.domain.local, etc.
I'm with noci, you can either setup a CA on a windows system or on a linux setup as a CA....
many devices have self-generating certs that could be valid for a decade, add the certificate as trusted on first connection, and you will not see alerts until it expires.
you could use certreq to generate requests that use Ssubject alternate name that includes various references for hostname, hostname.domain.local, etc.
ASKER
I'm trying TinyCA - not much documentation about it now. Got the CA set up and installed it as a trusted root CA cert on my PC however the web browsers can't link it to a trusted issuer. Still working on it
You need add the root certificate in all browsers by adding it to the trusted store of your system.
some tools may have private stores. (java to name one).
This can be done on windows system through group policies, i am not sure how that works just heard about it.
ANY CA would require to have access to all .local in the world through DNS queries., ie. none of the CA's can validate .local domains.
also those certificates would be to easy to misuse hence the non support of it.
If every private .local has a private CA then the gap is closed again.
some tools may have private stores. (java to name one).
This can be done on windows system through group policies, i am not sure how that works just heard about it.
ANY CA would require to have access to all .local in the world through DNS queries., ie. none of the CA's can validate .local domains.
also those certificates would be to easy to misuse hence the non support of it.
If every private .local has a private CA then the gap is closed again.
Missed this one... apearantly mail is not always delivered since somewhere in october/november.
Starting in January, LE begins support of wildcard certs, so you'll only have to generate a complex cert (listing all hosts) twice, once now + in 90 days. After that you can generate a single wildcard cert to cover all hosts on your domain.
I do this for all my hosting clients. Every internal/local IP has a hostname.