|
Obviously certificates are becoming more important as things like heartbleed and other items have made verifying your communication partner more and more important. I am trying to improve my internal/external security posture without buying 300 certs for $$$$$. I have a *.company.com cert for external operations but our internal domain is a *.company.local. Our CA will not issue wildcard certs on domains I don't "own" They will however issue me servername.company.local. This is where the 300 certs thing comes in. I do have a CA in my domain but I have external users who trust my CA (DigiCert) but not my internal CA. Is there a way I can sign my CA with my public cert identifying it to issue certificates within my domain - effectively making a private wildcard? As I think about this it seems unlikely, but I'd like to figure out a way to get globally valid certs on my internal domain. Thoughts? Please help security goons.
|
# ? Nov 30, 2014 06:09 |
|
|
# ? Mar 29, 2024 08:09 |
|
I thought no one was going to be issuing .local certs anymore. Microsoft had a big Technet article on it and how to run a split DNS setup. If you are running Active Directory you can make your own in office CA and force everything on the domain to recognize it. I've never done this and understand it to be a major undertaking if you don't know what you are doing but the benefits are obvious. If you are running something else then idk.
|
# ? Nov 30, 2014 07:40 |
|
Yeah, that's intentionally supposed to be not possible anymore, so the question is probably what you're trying to accomplish. Why would external users be hitting an internal domain name?
|
# ? Nov 30, 2014 08:03 |
|
.local certainly is still a thing. It may not be recommended but it still is possible to create one and there are lots of them still floating out there. It may be easier at this point to rename my domain but that also makes me really really really nervous as it will certainly break a lot of stuff. If I could go back in time I would do it differently but I can't so... The biggest issue is that I deploy remoteapp as part of our line of business that are consumed by people who aren't apart of our AD and do not have local permission to accept our root CA. This causes issues when they ultimately connect to our farm.
|
# ? Nov 30, 2014 17:14 |
|
KennyG posted:The biggest issue is that I deploy remoteapp as part of our line of business that are consumed by people who aren't apart of our AD and do not have local permission to accept our root CA. This causes issues when they ultimately connect to our farm.
|
# ? Nov 30, 2014 17:56 |
|
Signing your internal CA with an external CA that is trusted by default by most computers is something you don't have the resources to do. It's technically possible, but very difficult. There are a few companies like GlobalSign that will do it, but look at the details. https://www.globalsign.eu/certificate-authority-root-signing/ I don't have all the links handy, but basically you need to rename your RDS setup with the external name for everyone and install external certs. I'm guess you're using RDS Gateway for external access? or something else? Is this a 2008 or 2012 setup?
|
# ? Nov 30, 2014 18:28 |
|
I've seen a number of companies create their own internal certificate, and push them out via corporate deployment software to be a Trusted Certificate. Internal, company-managed machines / virtual machines will happily use them. External machines--such as those used by consultants and contractors--will throw unknown certificate errors, unless you provide them the public certificate files to load.
|
# ? Dec 2, 2014 00:05 |
|
KennyG posted:.local certainly is still a thing. It may not be recommended but it still is possible to create one and there are lots of them still floating out there. It may be easier at this point to rename my domain but that also makes me really really really nervous as it will certainly break a lot of stuff. If I could go back in time I would do it differently but I can't so... .local is still a thing, but certificates for .local are rapidly becoming not a thing. CAs are not allowed to issue certs with expirations after Nov 1 2015, and will revoke all .local certs by Oct 1 2016. Putting the Microsoft TS gateway role in front of your farm with an external URL would solve your problem.
|
# ? Dec 2, 2014 00:23 |
|
KS posted:.local is still a thing, but certificates for .local are rapidly becoming not a thing. CAs are not allowed to issue certs with expirations after Nov 1 2015, and will revoke all .local certs by Oct 1 2016.
|
# ? Dec 2, 2014 01:04 |
|
Guys please help me... We're ordering a qualified (EU, third-party) certificate for each of our coworkers (100+). So the plan is to link one certificate to each roaming profile. I get that this is a function of AD but the technet guides say that I'm supposed to link the .cer file and it seems to me that a much more healthy option would be to import them all into some sort of store and then link profiles to certificates in the store. Does Windows server allow me to do that? Sorry if this seems stupid... Zhiwau fucked around with this message at 15:35 on Dec 2, 2014 |
# ? Dec 2, 2014 15:26 |
|
Where do Verisign come into this?
|
# ? Dec 2, 2014 16:41 |
|
|
# ? Mar 29, 2024 08:09 |
|
Bitch Stewie posted:Where do Verisign come into this? I'm assuming it's just the standard "verisign can eat a bag of dicks" rule, not sure anyone ever needed a reason for that!
|
# ? Dec 2, 2014 19:49 |