asked on
Internal websites issue warning 'your connection is not private' certauthorityerror
I have a rather silly question, but since I have not done this before I need to ask. LOL
We have a number of INTERNAL appliances and websites that complain (see screenshot) that the website is NOT secure and this is becoming an annoyance to users (having to click through to advanced to bypass the warning). My understanding is that to mitigate this I have to bring up an internal Root Certificate Authority installed on a server (2016), member server and not DC, as well as set GPO to push it out to clients. Does that sound about right? If yes can anyone kindly comment on how they did it (SHA256 I assume, 5 year validity, etc.) - perhaps point to some decent articles - and point out any obvious gotchas that those who tried it experienced. Very much appreciated. Than you.
CERTerror.jpg
ASKER
thanks but either way I will need the ADCS running on a member server to handle the certificate, right?
If its for internal sites/appliances just deploy Certificate Services?
</P>
No, if you go with the known CA, you will not need to deploy ADCS, and you will not need to distribute root CAs to all your users.
-Sam
ASKER
yes it is for internal websites and appliance website landing pages e.g. proxy, vmware etc. thanks
ASKER
any security risks going with a well known CA for internal only? cheers
ASKER
Thanks Sam - appreciate all insights.
What is the likelihood of that happening realistically.
Would it be in line with best (reasonable) practice?
I mean unless we are targeted by a hacker consortium that really wants to get in, in which case we likely can only stop them if we turn everything off, wrap it in plastic, stick in the basement and flood the entire area. LOL
Extremely unlike to hack an SSL certificate, as long as you guard the private key.
I am not aware of any instances where one was hacked.
I use wildcards for most of my clients, as it makes deployments (mostly of Citrix) much easier.
ASKER
excellent thank you and I am assuming that the well known CA has steps to add this to our AD.
Will investigate this option :-)
ASKER
thank you everyone
server1.yourdomain.com
server2.yourdomain.com
etc.
Then, if your users enter https://server2.yourdomain.com, they would not get the error, as the CA root certificates for known CA's are already on their machines. You will probably also need to install an intermediate CA certificate on the servers as well.