Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
KennyG
Oct 22, 2002
Here to blow my own horn.
Obviously certificates are becoming more important as things like heartbleed and other items have made verifying your communication partner more and more important.

I am trying to improve my internal/external security posture without buying 300 certs for $$$$$. I have a *.company.com cert for external operations but our internal domain is a *.company.local. Our CA will not issue wildcard certs on domains I don't "own" They will however issue me servername.company.local. This is where the 300 certs thing comes in. I do have a CA in my domain but I have external users who trust my CA (DigiCert) but not my internal CA. Is there a way I can sign my CA with my public cert identifying it to issue certificates within my domain - effectively making a private wildcard?

As I think about this it seems unlikely, but I'd like to figure out a way to get globally valid certs on my internal domain. Thoughts? Please help security goons.

Adbot
ADBOT LOVES YOU

thebigcow
Jan 3, 2001

Bully!
I thought no one was going to be issuing .local certs anymore. Microsoft had a big Technet article on it and how to run a split DNS setup.

If you are running Active Directory you can make your own in office CA and force everything on the domain to recognize it. I've never done this and understand it to be a major undertaking if you don't know what you are doing but the benefits are obvious. If you are running something else then idk.

KS
Jun 10, 2003
Outrageous Lumpwad
Yeah, that's intentionally supposed to be not possible anymore, so the question is probably what you're trying to accomplish. Why would external users be hitting an internal domain name?

KennyG
Oct 22, 2002
Here to blow my own horn.
.local certainly is still a thing. It may not be recommended but it still is possible to create one and there are lots of them still floating out there. It may be easier at this point to rename my domain but that also makes me really really really nervous as it will certainly break a lot of stuff. If I could go back in time I would do it differently but I can't so...

The biggest issue is that I deploy remoteapp as part of our line of business that are consumed by people who aren't apart of our AD and do not have local permission to accept our root CA. This causes issues when they ultimately connect to our farm.

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer

KennyG posted:

The biggest issue is that I deploy remoteapp as part of our line of business that are consumed by people who aren't apart of our AD and do not have local permission to accept our root CA. This causes issues when they ultimately connect to our farm.
I know nothing about remoteapp, but isn't there some kind of external gateway that proxies the requests? Similar to the Access Gateway or Netscaler from Citrix.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert

Signing your internal CA with an external CA that is trusted by default by most computers is something you don't have the resources to do. It's technically possible, but very difficult. There are a few companies like GlobalSign that will do it, but look at the details.

https://www.globalsign.eu/certificate-authority-root-signing/


I don't have all the links handy, but basically you need to rename your RDS setup with the external name for everyone and install external certs. I'm guess you're using RDS Gateway for external access? or something else? Is this a 2008 or 2012 setup?

Ynglaur
Oct 9, 2013

The Malta Conference, anyone?
I've seen a number of companies create their own internal certificate, and push them out via corporate deployment software to be a Trusted Certificate. Internal, company-managed machines / virtual machines will happily use them. External machines--such as those used by consultants and contractors--will throw unknown certificate errors, unless you provide them the public certificate files to load.

KS
Jun 10, 2003
Outrageous Lumpwad

KennyG posted:

.local certainly is still a thing. It may not be recommended but it still is possible to create one and there are lots of them still floating out there. It may be easier at this point to rename my domain but that also makes me really really really nervous as it will certainly break a lot of stuff. If I could go back in time I would do it differently but I can't so...

The biggest issue is that I deploy remoteapp as part of our line of business that are consumed by people who aren't apart of our AD and do not have local permission to accept our root CA. This causes issues when they ultimately connect to our farm.

.local is still a thing, but certificates for .local are rapidly becoming not a thing. CAs are not allowed to issue certs with expirations after Nov 1 2015, and will revoke all .local certs by Oct 1 2016.

Putting the Microsoft TS gateway role in front of your farm with an external URL would solve your problem.

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer

KS posted:

.local is still a thing, but certificates for .local are rapidly becoming not a thing. CAs are not allowed to issue certs with expirations after Nov 1 2015, and will revoke all .local certs by Oct 1 2016.

Putting the Microsoft TS gateway role in front of your farm with an external URL would solve your problem.
Private, internal CAs can still issue .local certificates. PUBLIC CAs cannot.

Zhiwau
Sep 13, 2005
Wouldn't everything look more dull without this message?
Guys please help me... We're ordering a qualified (EU, third-party) certificate for each of our coworkers (100+). So the plan is to link one certificate to each roaming profile. I get that this is a function of AD but the technet guides say that I'm supposed to link the .cer file and it seems to me that a much more healthy option would be to import them all into some sort of store and then link profiles to certificates in the store. Does Windows server allow me to do that?

Sorry if this seems stupid...

Zhiwau fucked around with this message at 15:35 on Dec 2, 2014

Bitch Stewie
Dec 17, 2011
Where do Verisign come into this?

Adbot
ADBOT LOVES YOU

Maneki Neko
Oct 27, 2000

Bitch Stewie posted:

Where do Verisign come into this?

I'm assuming it's just the standard "verisign can eat a bag of dicks" rule, not sure anyone ever needed a reason for that!

  • Locked thread