Adam P
asked on
Mitigating Certificate Errors
Hello,
We host several internal sites (intranet, and utility). Oftentimes, when we access them, we get that pesky UNTRUSTED or UNSECURE warning from Chrome.
I've set up an internal certificate server to try to authorize them, but because many of them (my intranet sites / helpdesk sites) use OpenSSL, it's not playing nice with my windows AD Certificate Services.
Do any of you have a good procedure for how to register sites using OpenSSL to a MIcrosoft On-Prem Certificate server / CA?
Thank you!
We host several internal sites (intranet, and utility). Oftentimes, when we access them, we get that pesky UNTRUSTED or UNSECURE warning from Chrome.
I've set up an internal certificate server to try to authorize them, but because many of them (my intranet sites / helpdesk sites) use OpenSSL, it's not playing nice with my windows AD Certificate Services.
Do any of you have a good procedure for how to register sites using OpenSSL to a MIcrosoft On-Prem Certificate server / CA?
Thank you!
If you can use a public domain name, then you could use DNS-01 letsencrypt certificates.
Alternatively, you could use IIS to create the domain certificate, then export the certificate as a pfx, then use openssl to export the certificate to whatever format certificate your internal sites require.
Alternatively, you could use IIS to create the domain certificate, then export the certificate as a pfx, then use openssl to export the certificate to whatever format certificate your internal sites require.
As ArneLovius suggested, using https://LetsEncrypt.org free certs resolves all these problems.
Certs are setup once + forget, as a simple CRON job renews them.
And the certbot-auto script can fire any type of post-hook scripts to push certs anywhere + restart any software using certs, after certs push.
There are many other options. All will require much more thought + plumbing to get working. Also, likely manual intervention to renew certs + issuance chain (in case of private CA) at expiration point.
Certs are setup once + forget, as a simple CRON job renews them.
And the certbot-auto script can fire any type of post-hook scripts to push certs anywhere + restart any software using certs, after certs push.
There are many other options. All will require much more thought + plumbing to get working. Also, likely manual intervention to renew certs + issuance chain (in case of private CA) at expiration point.
IS your internal CA an Enterprise Root CA? As a matter of fact, are your clients Windows clients? If you have all the certs and keys correctly installed in your Web or Utility server, then make sure the Root CA cert is added to the clients as a Trusted Root Certificate. In AD, this will happen Automatically. If you have a Standalone CA, you need to do this manually (Can do it via Group Policy with Windows. I imagine you can script it in Linux.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
are you talking about using the openssl to automatically submit the CSR to the CA?
You would either use the certutil or use the web interface to the CA
https://CAserver/CertSrv
here you can specify which certificate you are trying ....