Enable HTTPS on a private network Announcing the arrival of Valued Associate #679: Cesar...
Is it OK if I do not take the receipt in Germany?
Translate text contents of an existing file from lower to upper case and copy to a new file
In search of the origins of term censor, I hit a dead end stuck with the greek term, to censor, λογοκρίνω
How would it unbalance gameplay to rule that Weapon Master allows for picking a fighting style?
`FindRoot [ ]`::jsing: Encountered a singular Jacobian at a point...WHY
All ASCII characters with a given bit count
What is the evidence that custom checks in Northern Ireland are going to result in violence?
What is /etc/mtab in Linux?
Will I have to go through TSA security when I return to the US after preclearance in Atlanta?
Is there a possibility to generate a list dynamically in Latex?
France's Public Holidays' Puzzle
Is there a verb for listening stealthily?
How can I wire a 9-position switch so that each position turns on one more LED than the one before?
Will I lose my paid in full property
Is a self contained air-bullet cartridge feasible?
Specify the range of GridLines
Why is arima in R one time step off?
VBA: Single line if statement with multiple actions
Determinant of a matrix with 2 equal rows
Could a cockatrice have parasitic embryos?
Putting Ant-Man on house arrest
When does Bran Stark remember Jamie pushing him?
How was Lagrange appointed professor of mathematics so early?
Will I be more secure with my own router behind my ISP's router?
Enable HTTPS on a private network
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Apache in front of Glassfish: mod_jk on https(443)What will happen if I force https for my image hosting site via .htaccess but embed an image with an http link?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
My company is creating presentation software. When in use, presenters sign on through an HTTPS-enabled web site to send text, documents, authentication tokens, etc.
How do I enable HTTPS communication when:
- There is only a dynamic internal IPv4 (196.168.0.x) address and some IPv6 address.
- The web site might be an internal-only site. (https://letsencrypt.org/ can't reach it.)
- No manual steps allowed. The customer installs the software and it is good to go.
For those interested, I'm using the C# control Httplistener and PowerShell.
Some of my research:
- Httplistener with HTTPS support
- How To Enable HTTPS🔒 On Your Website For Free
- How to get HTTPS: Setting up SSL on your website
- Generate self-signed certificate on the fly
http-server
edited 9 hours ago
Peter Mortensen
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
My company is creating presentation software. When in use, presenters sign on through an HTTPS-enabled web site to send text, documents, authentication tokens, etc.
How do I enable HTTPS communication when:
- There is only a dynamic internal IPv4 (196.168.0.x) address and some IPv6 address.
- The web site might be an internal-only site. (https://letsencrypt.org/ can't reach it.)
- No manual steps allowed. The customer installs the software and it is good to go.
For those interested, I'm using the C# control Httplistener and PowerShell.
Some of my research:
- Httplistener with HTTPS support
- How To Enable HTTPS🔒 On Your Website For Free
- How to get HTTPS: Setting up SSL on your website
- Generate self-signed certificate on the fly
http-server
edited 9 hours ago
Peter Mortensen
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday
add a comment |
My company is creating presentation software. When in use, presenters sign on through an HTTPS-enabled web site to send text, documents, authentication tokens, etc.
How do I enable HTTPS communication when:
- There is only a dynamic internal IPv4 (196.168.0.x) address and some IPv6 address.
- The web site might be an internal-only site. (https://letsencrypt.org/ can't reach it.)
- No manual steps allowed. The customer installs the software and it is good to go.
For those interested, I'm using the C# control Httplistener and PowerShell.
Some of my research:
- Httplistener with HTTPS support
- How To Enable HTTPS🔒 On Your Website For Free
- How to get HTTPS: Setting up SSL on your website
- Generate self-signed certificate on the fly
http-server
edited 9 hours ago
Peter Mortensen
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My company is creating presentation software. When in use, presenters sign on through an HTTPS-enabled web site to send text, documents, authentication tokens, etc.
How do I enable HTTPS communication when:
- There is only a dynamic internal IPv4 (196.168.0.x) address and some IPv6 address.
- The web site might be an internal-only site. (https://letsencrypt.org/ can't reach it.)
- No manual steps allowed. The customer installs the software and it is good to go.
For those interested, I'm using the C# control Httplistener and PowerShell.
Some of my research:
- Httplistener with HTTPS support
- How To Enable HTTPS🔒 On Your Website For Free
- How to get HTTPS: Setting up SSL on your website
- Generate self-signed certificate on the fly
http-server
http-server
edited 9 hours ago
Peter Mortensen
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 9 hours ago
Peter Mortensen
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 9 hours ago
Peter Mortensen
2,15142124
edited 9 hours ago
Peter Mortensen
2,15142124
edited 9 hours ago
Peter Mortensen
2,15142124
2,15142124
asked yesterday
Trevy BurgessTrevy Burgess
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Trevy BurgessTrevy Burgess
213
asked yesterday
Trevy BurgessTrevy Burgess
213
213
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Trevy Burgess is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday
add a comment |
5
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday
5
5
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday
add a comment |
3 Answers
3
active
oldest
votes
If your internal domain name matches an external domain name (e.g. sales.corp.example.com) you can still get a certificate from most public CAs, as they will accept ownership of example.com assuming whoever owns admin@example.com/webmaster@example.com/whatever is happy to approve your certificate request. The site itself does not need to be accessible over the internet. There are other providers that implement Let's Encrypt's ACME protocol so if you can't abide by their requirements you may still be able to use the same protocol with a different provider.
If no part of your internal domain is publicly resolvable (e.g. you used a fake TLD like sales.corp.example.local), then your only option is to use an internal CA.
If you want to use an internal CA to sign your certificates, then you'll need to install that CA as a trusted provider on all your devices. And if you want to do this "properly" then it's a fairly extensive thing to set up (typically you have a root CA that lives offline that signs a subordinate CA that actually signs your certificates). You'll need processes in place to rotate the root certificates when they come up for expiry and a way to distribute them (if you're fully integrated on a Windows domain with no Linux devices, this is actually not that hard).
Once upon a time it was possible to go to a CA and ask them to issue a certificate for an internal domain and go through a lengthy and expensive validation procedure, however new procedures introduced on 1st July 2012 banned any CA from issuing any certificate containing an internal common name from 2015, and revoke existing certificates by 2016. So unless you have a time machine that's not going to happen.
As an aside:
The customer installs the software and it is good to go
That's highly unlikely to ever happen. I've installed a lot of enterprise software over the years, and TLS configuration is something that I have always had to do by hand. There's a bunch of reasons why you cannot assume you can configure certificates automagically:
- Customer may not have internet access from the host so you can't contact an external authority
- Customer may have a very restricted list of approved CAs, and you have to have a certificate issued by them
- Customer may require auditing of all certificates being issued for internal hostnames
In fact if your appliance was on my network with an automatically configured, valid, trusted SSL certificate out of the box I would be extremely suspicious. There are plenty of appliances that allow you to one-click configure Let's Encrypt but it is never, ever a default. It is always opt in.
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
add a comment |
No manual steps allowed. The customer installs the software and it is
good to go.
If you do not control end user devices, no additional steps means you must use a CA already in their root certificate stores (OS or browser). The customer's internal PKI could sign your certificates, but that assumes they have one, and it won't work for unmanaged devices. Which leaves a well-known "public" CA.
The web site might be an internal-only site. (https://letsencrypt.org/
can't reach it.)
Ownership challenges need not be from the host that gets the certificate. You mentioned Let's Encrypt, their DNS challenge can be done from any Internet visible DNS. Including wildcards, so you can issue *.present.example.com.
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
add a comment |
In my company we've got multiple Intranet-only web sites.
Due to recent/current browser policy changes we've been setting them up with HTTPS/TLS support.
As these sites are for internal use only we decided to set-up an in-house certificate authority using the Microsoft Active Directory Certificate Authority (MS AD CA) service.
Additionally we're using [Company Name].local URLs for the websites.
Using the AD CA service we created a RootCA certificate which gets distributed to all domain connected systems via the domain controller.
Using the AD CA service we are then able to issue certificates for the various internal websites and devices with web interfaces.
We then use the active directory DNS service to set-up the [Company Name].local domain to assign the correct IP-addresses to the correct URLs. As the internal AD DNS is the primary DNS for our network.
The only issue we've had with this approach is the fact that the Firefox browser doesn't use the Windows certificate store and needs to have the created RootCA certificate imported manually.
From my limited research it does seem to be possible to automatically import the RootCA certificate into the Firefox certificate store but due to the limited amount of Firefox users we decided to go the manual approach.
Additionally if I recall correctly there is a feature request ticket pending with the Firefox development team to enable access to the Windows certificate store.
This seemed to use to be to most robust solution for our situation, your mileage may differ :)
For any external facing sites we use certificates from reputable sources.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Trevy Burgess is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964119%2fenable-https-on-a-private-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
If your internal domain name matches an external domain name (e.g. sales.corp.example.com) you can still get a certificate from most public CAs, as they will accept ownership of example.com assuming whoever owns admin@example.com/webmaster@example.com/whatever is happy to approve your certificate request. The site itself does not need to be accessible over the internet. There are other providers that implement Let's Encrypt's ACME protocol so if you can't abide by their requirements you may still be able to use the same protocol with a different provider.
If no part of your internal domain is publicly resolvable (e.g. you used a fake TLD like sales.corp.example.local), then your only option is to use an internal CA.
If you want to use an internal CA to sign your certificates, then you'll need to install that CA as a trusted provider on all your devices. And if you want to do this "properly" then it's a fairly extensive thing to set up (typically you have a root CA that lives offline that signs a subordinate CA that actually signs your certificates). You'll need processes in place to rotate the root certificates when they come up for expiry and a way to distribute them (if you're fully integrated on a Windows domain with no Linux devices, this is actually not that hard).
Once upon a time it was possible to go to a CA and ask them to issue a certificate for an internal domain and go through a lengthy and expensive validation procedure, however new procedures introduced on 1st July 2012 banned any CA from issuing any certificate containing an internal common name from 2015, and revoke existing certificates by 2016. So unless you have a time machine that's not going to happen.
As an aside:
The customer installs the software and it is good to go
That's highly unlikely to ever happen. I've installed a lot of enterprise software over the years, and TLS configuration is something that I have always had to do by hand. There's a bunch of reasons why you cannot assume you can configure certificates automagically:
- Customer may not have internet access from the host so you can't contact an external authority
- Customer may have a very restricted list of approved CAs, and you have to have a certificate issued by them
- Customer may require auditing of all certificates being issued for internal hostnames
In fact if your appliance was on my network with an automatically configured, valid, trusted SSL certificate out of the box I would be extremely suspicious. There are plenty of appliances that allow you to one-click configure Let's Encrypt but it is never, ever a default. It is always opt in.
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
add a comment |
If your internal domain name matches an external domain name (e.g. sales.corp.example.com) you can still get a certificate from most public CAs, as they will accept ownership of example.com assuming whoever owns admin@example.com/webmaster@example.com/whatever is happy to approve your certificate request. The site itself does not need to be accessible over the internet. There are other providers that implement Let's Encrypt's ACME protocol so if you can't abide by their requirements you may still be able to use the same protocol with a different provider.
If no part of your internal domain is publicly resolvable (e.g. you used a fake TLD like sales.corp.example.local), then your only option is to use an internal CA.
If you want to use an internal CA to sign your certificates, then you'll need to install that CA as a trusted provider on all your devices. And if you want to do this "properly" then it's a fairly extensive thing to set up (typically you have a root CA that lives offline that signs a subordinate CA that actually signs your certificates). You'll need processes in place to rotate the root certificates when they come up for expiry and a way to distribute them (if you're fully integrated on a Windows domain with no Linux devices, this is actually not that hard).
Once upon a time it was possible to go to a CA and ask them to issue a certificate for an internal domain and go through a lengthy and expensive validation procedure, however new procedures introduced on 1st July 2012 banned any CA from issuing any certificate containing an internal common name from 2015, and revoke existing certificates by 2016. So unless you have a time machine that's not going to happen.
As an aside:
The customer installs the software and it is good to go
That's highly unlikely to ever happen. I've installed a lot of enterprise software over the years, and TLS configuration is something that I have always had to do by hand. There's a bunch of reasons why you cannot assume you can configure certificates automagically:
- Customer may not have internet access from the host so you can't contact an external authority
- Customer may have a very restricted list of approved CAs, and you have to have a certificate issued by them
- Customer may require auditing of all certificates being issued for internal hostnames
In fact if your appliance was on my network with an automatically configured, valid, trusted SSL certificate out of the box I would be extremely suspicious. There are plenty of appliances that allow you to one-click configure Let's Encrypt but it is never, ever a default. It is always opt in.
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
add a comment |
If your internal domain name matches an external domain name (e.g. sales.corp.example.com) you can still get a certificate from most public CAs, as they will accept ownership of example.com assuming whoever owns admin@example.com/webmaster@example.com/whatever is happy to approve your certificate request. The site itself does not need to be accessible over the internet. There are other providers that implement Let's Encrypt's ACME protocol so if you can't abide by their requirements you may still be able to use the same protocol with a different provider.
If no part of your internal domain is publicly resolvable (e.g. you used a fake TLD like sales.corp.example.local), then your only option is to use an internal CA.
If you want to use an internal CA to sign your certificates, then you'll need to install that CA as a trusted provider on all your devices. And if you want to do this "properly" then it's a fairly extensive thing to set up (typically you have a root CA that lives offline that signs a subordinate CA that actually signs your certificates). You'll need processes in place to rotate the root certificates when they come up for expiry and a way to distribute them (if you're fully integrated on a Windows domain with no Linux devices, this is actually not that hard).
Once upon a time it was possible to go to a CA and ask them to issue a certificate for an internal domain and go through a lengthy and expensive validation procedure, however new procedures introduced on 1st July 2012 banned any CA from issuing any certificate containing an internal common name from 2015, and revoke existing certificates by 2016. So unless you have a time machine that's not going to happen.
As an aside:
The customer installs the software and it is good to go
That's highly unlikely to ever happen. I've installed a lot of enterprise software over the years, and TLS configuration is something that I have always had to do by hand. There's a bunch of reasons why you cannot assume you can configure certificates automagically:
- Customer may not have internet access from the host so you can't contact an external authority
- Customer may have a very restricted list of approved CAs, and you have to have a certificate issued by them
- Customer may require auditing of all certificates being issued for internal hostnames
In fact if your appliance was on my network with an automatically configured, valid, trusted SSL certificate out of the box I would be extremely suspicious. There are plenty of appliances that allow you to one-click configure Let's Encrypt but it is never, ever a default. It is always opt in.
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
If your internal domain name matches an external domain name (e.g. sales.corp.example.com) you can still get a certificate from most public CAs, as they will accept ownership of example.com assuming whoever owns admin@example.com/webmaster@example.com/whatever is happy to approve your certificate request. The site itself does not need to be accessible over the internet. There are other providers that implement Let's Encrypt's ACME protocol so if you can't abide by their requirements you may still be able to use the same protocol with a different provider.
If no part of your internal domain is publicly resolvable (e.g. you used a fake TLD like sales.corp.example.local), then your only option is to use an internal CA.
If you want to use an internal CA to sign your certificates, then you'll need to install that CA as a trusted provider on all your devices. And if you want to do this "properly" then it's a fairly extensive thing to set up (typically you have a root CA that lives offline that signs a subordinate CA that actually signs your certificates). You'll need processes in place to rotate the root certificates when they come up for expiry and a way to distribute them (if you're fully integrated on a Windows domain with no Linux devices, this is actually not that hard).
Once upon a time it was possible to go to a CA and ask them to issue a certificate for an internal domain and go through a lengthy and expensive validation procedure, however new procedures introduced on 1st July 2012 banned any CA from issuing any certificate containing an internal common name from 2015, and revoke existing certificates by 2016. So unless you have a time machine that's not going to happen.
As an aside:
The customer installs the software and it is good to go
That's highly unlikely to ever happen. I've installed a lot of enterprise software over the years, and TLS configuration is something that I have always had to do by hand. There's a bunch of reasons why you cannot assume you can configure certificates automagically:
- Customer may not have internet access from the host so you can't contact an external authority
- Customer may have a very restricted list of approved CAs, and you have to have a certificate issued by them
- Customer may require auditing of all certificates being issued for internal hostnames
In fact if your appliance was on my network with an automatically configured, valid, trusted SSL certificate out of the box I would be extremely suspicious. There are plenty of appliances that allow you to one-click configure Let's Encrypt but it is never, ever a default. It is always opt in.
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
edited 20 hours ago
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
answered 20 hours ago
Mark Henderson♦Mark Henderson
61.4k29163248
61.4k29163248
add a comment |
add a comment |
No manual steps allowed. The customer installs the software and it is
good to go.
If you do not control end user devices, no additional steps means you must use a CA already in their root certificate stores (OS or browser). The customer's internal PKI could sign your certificates, but that assumes they have one, and it won't work for unmanaged devices. Which leaves a well-known "public" CA.
The web site might be an internal-only site. (https://letsencrypt.org/
can't reach it.)
Ownership challenges need not be from the host that gets the certificate. You mentioned Let's Encrypt, their DNS challenge can be done from any Internet visible DNS. Including wildcards, so you can issue *.present.example.com.
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
add a comment |
No manual steps allowed. The customer installs the software and it is
good to go.
If you do not control end user devices, no additional steps means you must use a CA already in their root certificate stores (OS or browser). The customer's internal PKI could sign your certificates, but that assumes they have one, and it won't work for unmanaged devices. Which leaves a well-known "public" CA.
The web site might be an internal-only site. (https://letsencrypt.org/
can't reach it.)
Ownership challenges need not be from the host that gets the certificate. You mentioned Let's Encrypt, their DNS challenge can be done from any Internet visible DNS. Including wildcards, so you can issue *.present.example.com.
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
add a comment |
No manual steps allowed. The customer installs the software and it is
good to go.
If you do not control end user devices, no additional steps means you must use a CA already in their root certificate stores (OS or browser). The customer's internal PKI could sign your certificates, but that assumes they have one, and it won't work for unmanaged devices. Which leaves a well-known "public" CA.
The web site might be an internal-only site. (https://letsencrypt.org/
can't reach it.)
Ownership challenges need not be from the host that gets the certificate. You mentioned Let's Encrypt, their DNS challenge can be done from any Internet visible DNS. Including wildcards, so you can issue *.present.example.com.
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
No manual steps allowed. The customer installs the software and it is
good to go.
If you do not control end user devices, no additional steps means you must use a CA already in their root certificate stores (OS or browser). The customer's internal PKI could sign your certificates, but that assumes they have one, and it won't work for unmanaged devices. Which leaves a well-known "public" CA.
The web site might be an internal-only site. (https://letsencrypt.org/
can't reach it.)
Ownership challenges need not be from the host that gets the certificate. You mentioned Let's Encrypt, their DNS challenge can be done from any Internet visible DNS. Including wildcards, so you can issue *.present.example.com.
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
answered 20 hours ago
John MahowaldJohn Mahowald
9,0911713
9,0911713
add a comment |
add a comment |
In my company we've got multiple Intranet-only web sites.
Due to recent/current browser policy changes we've been setting them up with HTTPS/TLS support.
As these sites are for internal use only we decided to set-up an in-house certificate authority using the Microsoft Active Directory Certificate Authority (MS AD CA) service.
Additionally we're using [Company Name].local URLs for the websites.
Using the AD CA service we created a RootCA certificate which gets distributed to all domain connected systems via the domain controller.
Using the AD CA service we are then able to issue certificates for the various internal websites and devices with web interfaces.
We then use the active directory DNS service to set-up the [Company Name].local domain to assign the correct IP-addresses to the correct URLs. As the internal AD DNS is the primary DNS for our network.
The only issue we've had with this approach is the fact that the Firefox browser doesn't use the Windows certificate store and needs to have the created RootCA certificate imported manually.
From my limited research it does seem to be possible to automatically import the RootCA certificate into the Firefox certificate store but due to the limited amount of Firefox users we decided to go the manual approach.
Additionally if I recall correctly there is a feature request ticket pending with the Firefox development team to enable access to the Windows certificate store.
This seemed to use to be to most robust solution for our situation, your mileage may differ :)
For any external facing sites we use certificates from reputable sources.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
add a comment |
In my company we've got multiple Intranet-only web sites.
Due to recent/current browser policy changes we've been setting them up with HTTPS/TLS support.
As these sites are for internal use only we decided to set-up an in-house certificate authority using the Microsoft Active Directory Certificate Authority (MS AD CA) service.
Additionally we're using [Company Name].local URLs for the websites.
Using the AD CA service we created a RootCA certificate which gets distributed to all domain connected systems via the domain controller.
Using the AD CA service we are then able to issue certificates for the various internal websites and devices with web interfaces.
We then use the active directory DNS service to set-up the [Company Name].local domain to assign the correct IP-addresses to the correct URLs. As the internal AD DNS is the primary DNS for our network.
The only issue we've had with this approach is the fact that the Firefox browser doesn't use the Windows certificate store and needs to have the created RootCA certificate imported manually.
From my limited research it does seem to be possible to automatically import the RootCA certificate into the Firefox certificate store but due to the limited amount of Firefox users we decided to go the manual approach.
Additionally if I recall correctly there is a feature request ticket pending with the Firefox development team to enable access to the Windows certificate store.
This seemed to use to be to most robust solution for our situation, your mileage may differ :)
For any external facing sites we use certificates from reputable sources.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
add a comment |
In my company we've got multiple Intranet-only web sites.
Due to recent/current browser policy changes we've been setting them up with HTTPS/TLS support.
As these sites are for internal use only we decided to set-up an in-house certificate authority using the Microsoft Active Directory Certificate Authority (MS AD CA) service.
Additionally we're using [Company Name].local URLs for the websites.
Using the AD CA service we created a RootCA certificate which gets distributed to all domain connected systems via the domain controller.
Using the AD CA service we are then able to issue certificates for the various internal websites and devices with web interfaces.
We then use the active directory DNS service to set-up the [Company Name].local domain to assign the correct IP-addresses to the correct URLs. As the internal AD DNS is the primary DNS for our network.
The only issue we've had with this approach is the fact that the Firefox browser doesn't use the Windows certificate store and needs to have the created RootCA certificate imported manually.
From my limited research it does seem to be possible to automatically import the RootCA certificate into the Firefox certificate store but due to the limited amount of Firefox users we decided to go the manual approach.
Additionally if I recall correctly there is a feature request ticket pending with the Firefox development team to enable access to the Windows certificate store.
This seemed to use to be to most robust solution for our situation, your mileage may differ :)
For any external facing sites we use certificates from reputable sources.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
In my company we've got multiple Intranet-only web sites.
Due to recent/current browser policy changes we've been setting them up with HTTPS/TLS support.
As these sites are for internal use only we decided to set-up an in-house certificate authority using the Microsoft Active Directory Certificate Authority (MS AD CA) service.
Additionally we're using [Company Name].local URLs for the websites.
Using the AD CA service we created a RootCA certificate which gets distributed to all domain connected systems via the domain controller.
Using the AD CA service we are then able to issue certificates for the various internal websites and devices with web interfaces.
We then use the active directory DNS service to set-up the [Company Name].local domain to assign the correct IP-addresses to the correct URLs. As the internal AD DNS is the primary DNS for our network.
The only issue we've had with this approach is the fact that the Firefox browser doesn't use the Windows certificate store and needs to have the created RootCA certificate imported manually.
From my limited research it does seem to be possible to automatically import the RootCA certificate into the Firefox certificate store but due to the limited amount of Firefox users we decided to go the manual approach.
Additionally if I recall correctly there is a feature request ticket pending with the Firefox development team to enable access to the Windows certificate store.
This seemed to use to be to most robust solution for our situation, your mileage may differ :)
For any external facing sites we use certificates from reputable sources.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 12 hours ago
yetanothercoderyetanothercoder
1111
answered 12 hours ago
yetanothercoderyetanothercoder
1111
1111
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
yetanothercoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
add a comment |
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
There’s an about:config setting for Firefox that tells it to use the Windows cert store (security.enterprise_roots.enabled).
– Greg W
11 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
@GregW Thanks, my latest research from a couple of months ago indicated that, that was still a work in progress. Can you confirm it works correctly? If so, I can edit it into the answer.
– yetanothercoder
10 hours ago
add a comment |
Trevy Burgess is a new contributor. Be nice, and check out our Code of Conduct.
Trevy Burgess is a new contributor. Be nice, and check out our Code of Conduct.
Trevy Burgess is a new contributor. Be nice, and check out our Code of Conduct.
Trevy Burgess is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964119%2fenable-https-on-a-private-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
TLS certificates are almost exclusively assigned to host names and not to ip-addresses.It does not matter that a host has only an private use IPv4 address, as long as you are the legitimate owner / delegated_admin of the domain you can get a valid certificate. Also most larger organizations have their own CA and should be able to issue your hosts valid internal use certificates
– HBruijn
yesterday