Mitigating Certificate Errors

Adam P
Adam P used Ask the Experts™
on
Hello,

We host several internal sites (intranet, and utility).  Oftentimes, when we access them, we get that pesky UNTRUSTED or UNSECURE warning from Chrome.  

I've set up an internal certificate server to try to authorize them, but because many of them (my intranet sites / helpdesk sites) use OpenSSL, it's not playing nice with my windows AD Certificate Services.  

Do any of you have a good procedure for how to register sites using OpenSSL to a MIcrosoft On-Prem Certificate server / CA?  

Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Please clarify, you can generate a CSR using openssl, submit it for signature by your Windows CA.

are you talking about using the openssl to automatically submit the CSR to the CA?

You would either use the certutil or use the web interface to the CA
https://CAserver/CertSrv
here you can specify which certificate you are trying ....
If you can use a public domain name, then you could use DNS-01 letsencrypt certificates.

Alternatively, you could use IIS to create the domain certificate, then export the certificate as a pfx, then use openssl to export the certificate to whatever format certificate your internal sites require.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
As ArneLovius suggested, using https://LetsEncrypt.org free certs resolves all these problems.

Certs are setup once + forget, as a simple CRON job renews them.

And the certbot-auto script can fire any type of post-hook scripts to push certs anywhere + restart any software using certs, after certs push.

There are many other options. All will require much more thought + plumbing to get working. Also, likely manual intervention to renew certs + issuance chain (in case of private CA) at expiration point.
Jeff GloverSr. Systems Administrator

Commented:
IS your internal CA an Enterprise Root CA? As a matter of fact, are your clients Windows clients? If you have all the certs and keys correctly installed in your Web or Utility server, then make sure the Root CA cert is added to the clients as a Trusted Root Certificate. In AD, this will happen Automatically. If you have a Standalone CA, you need to do this manually (Can do it via Group Policy with Windows. I imagine you can script it in Linux.
Architect
Distinguished Expert 2018
Commented:
I believe you are converting windows ca certificates to pem or any other formats which Linux may understand

U need internal ca  root certificate to be trusted on linux servers to get rid of untrusted errors

On Chrome specifically it your internal ca is signed with SHA1 algorithm and / or if it's handing out certificates with SHA1 algorithm, pops out error
In that case you need to either migrate ca to SHA2 or setup new ca with SHA2 based algorithm

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial