SSL query



  • Hi,

    I'm new on SSL and have some questions. I have a project that is an application accessible via web browser. the application will only be accessible within office LAN.

    the application vendor wanted as SSL so that all data in & out of the server are encrypted. So we get an SSL even we feel we dont actually need just to get this over with. since the application is within LAN, what domain name should i use when configuring the SSL in the IS server? is that going to be the local IP address of the server?

    I want to check here as my vendor will most likely ask us to register a domain name. it looks like the vendor is following a checklist based on a online web application instead of our plan of going an internal LAN application.



  • @AshKetchum said in SSL query:

    Hi,

    I'm new on SSL and have some questions. I have a project that is an application accessible via web browser. the application will only be accessible within office LAN.

    the application vendor wanted as SSL so that all data in & out of the server are encrypted. So we get an SSL even we feel we dont actually need just to get this over with. since the application is within LAN, what domain name should i use when configuring the SSL in the IS server? is that going to be the local IP address of the server?

    I want to check here as my vendor will most likely ask us to register a domain name. it looks like the vendor is following a checklist based on a online web application instead of our plan of going an internal LAN application.

    There's little difference between it being an online web application vs it being an internal web application... I'd stick with the naming convention that you are already using...

    If your ActiveDirectory is SuperDomain.Net, and your server's FQDN is myApp.SuperDomain.Net, then get the SSL certificate for SuperDomain.Net



  • ah so by best practice, following the naming convention even not needed for now is the best way. it will be future proof in case they decided to make the application available online. make sense.



  • @AshKetchum said in SSL query:

    ah so by best practice, following the naming convention even not needed for now is the best way. it will be future proof in case they decided to make the application available online. make sense.

    If they make it available online, and the URL changes, then you'll need to re-issue the SSL Certificate. But otherwise, you are right.



  • @AshKetchum said in SSL query:

    Hi,

    I'm new on SSL and have some questions. I have a project that is an application accessible via web browser. the application will only be accessible within office LAN.

    the application vendor wanted as SSL so that all data in & out of the server are encrypted. So we get an SSL even we feel we dont actually need just to get this over with. since the application is within LAN, what domain name should i use when configuring the SSL in the IS server? is that going to be the local IP address of the server?

    I want to check here as my vendor will most likely ask us to register a domain name. it looks like the vendor is following a checklist based on a online web application instead of our plan of going an internal LAN application.

    It is still a good idea to use SSL even local services.

    Do you have a typical MS domain setup?

    If yes, do you have any public domains listed in DNS?

    If so, just make a new subdomain as a CNAME record to the internal server name and get the SSL on that.

    If you do not already have a public domain on your internal DNS it can be a more complicated decision from a "how do I want to manage this overall" point of view, but the technical process is the same.



  • @JaredBusch this is my first time handling this so sorry if i sounded newbie. what do you mean typical domain setup? also, what you mean public domains listed in DNS?



  • @AshKetchum said in SSL query:

    @JaredBusch this is my first time handling this so sorry if i sounded newbie. what do you mean typical domain setup? also, what you mean public domains listed in DNS?

    Start at the beginning.

    Do you have a Windows domain based network? This is not something that is not known.



  • yes we have domain based network. for the public listed domains, we have a lot. each server carries its own naming convention and didnt follow the main company domain name.



  • @AshKetchum said in SSL query:

    yes we have domain based network. for the public listed domains, we have a lot. each server carries its own naming convention and didnt follow the main company domain name.

    A public domain is something like mangolassi.it or bundystl.com You have those on your internal DNS?



  • i will need assistance to check it on our internal DNS. let me check.



  • @AshKetchum said in SSL query:

    i will need assistance to check it on our internal DNS. let me check.

    0_1470940964928_upload-c244a5d6-4e45-4463-bf8b-e3e9ebae0512



  • i only have 3 entries there as well, same as your screenshot.



  • Then you can make a new subdomain for one of them such as PBX in this example.

    0_1470942895839_upload-7ef42249-9f26-4cba-9752-c4179e198c82

    Then you can go to the app server and generate the CSR and use a service like StartSSL to get a free 1 year SSL certificate for it.

    I would recommend LetsEncrypt but if there is no outside facing part to this, that is more work than it is worth. Just renew once a year with StartSSL and be done.



  • free from startssl is a very good idea, instead of paying for a year on SSL for internal network.



  • thank you very much jared and dafyre



  • @AshKetchum said in SSL query:

    free from startssl is a very good idea, instead of paying for a year on SSL for internal network.

    I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.

    Stick with Let's Encrypt for free certs.



  • @travisdh1 said in SSL query:

    @AshKetchum said in SSL query:

    free from startssl is a very good idea, instead of paying for a year on SSL for internal network.

    I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.

    Stick with Let's Encrypt for free certs.

    I've used StartSSL for years. What is wrong with the service?



  • @JaredBusch said in SSL query:

    @travisdh1 said in SSL query:

    @AshKetchum said in SSL query:

    free from startssl is a very good idea, instead of paying for a year on SSL for internal network.

    I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.

    Stick with Let's Encrypt for free certs.

    I've used StartSSL for years. What is wrong with the service?

    Looks like they did resolve the one I was thinking of. http://www.securityweek.com/startssl-flaw-allowed-attackers-obtain-ssl-cert-any-domain

    Generally just a very lackadaisical take on security, half their answers to vulnerabilities are "Yeah, we know about that, it's not a problem."



  • Hmm I learn a lot on this SSL project. The IIS, SSL and even read some about Comodohacker..interesting...



  • @JaredBusch said in SSL query:

    Then you can make a new subdomain for one of them such as PBX in this example.

    This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.



  • @Dashrender said in SSL query:

    @JaredBusch said in SSL query:

    Then you can make a new subdomain for one of them such as PBX in this example.

    This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.

    What's the difference? It's both a subdomain and a hostname.



  • @scottalanmiller said in SSL query:

    @Dashrender said in SSL query:

    @JaredBusch said in SSL query:

    Then you can make a new subdomain for one of them such as PBX in this example.

    This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.

    What's the difference? It's both a subdomain and a hostname.

    Well I was going to ask if in my example Omaha. nebraska.com could point to an IP, but then I thought about that, and yes... I know that nebraska.com can point to an IP, soooo why not omaha.nebraska.com?



  • It is not possible to use ssl Certificate in your Local area networks from 1st November 2015. For more detail information you can read here http://www.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know.



  • I'm still unsure why companies will no longer issue certs for .local domains. It seems to me that complicates things for those of us who are stuck with them for a while longer.

    What I've heard some folks wanting to do is make their internal domains something like int.mydomain.com, which isn't really all that terrible... but it can complicate things if you want to use an external web host that expects some level of control over DNS.



  • @dafyre said in SSL query:

    I'm still unsure why companies will no longer issue certs for .local domains. It seems to me that complicates things for those of us who are stuck with them for a while longer.

    What I've heard some folks wanting to do is make their internal domains something like int.mydomain.com, which isn't really all that terrible... but it can complicate things if you want to use an external web host that expects some level of control over DNS.

    Since they don't work on the internet, why do you need a CA to issue it? Stand up your own internal CA, publish the root via GP to your clients and go to town.


Log in to reply