SSL query
-
@AshKetchum said in SSL query:
yes we have domain based network. for the public listed domains, we have a lot. each server carries its own naming convention and didnt follow the main company domain name.
A public domain is something like mangolassi.it or bundystl.com You have those on your internal DNS?
-
i will need assistance to check it on our internal DNS. let me check.
-
@AshKetchum said in SSL query:
i will need assistance to check it on our internal DNS. let me check.
-
i only have 3 entries there as well, same as your screenshot.
-
Then you can make a new subdomain for one of them such as PBX in this example.
Then you can go to the app server and generate the CSR and use a service like StartSSL to get a free 1 year SSL certificate for it.
I would recommend LetsEncrypt but if there is no outside facing part to this, that is more work than it is worth. Just renew once a year with StartSSL and be done.
-
free from startssl is a very good idea, instead of paying for a year on SSL for internal network.
-
thank you very much jared and dafyre
-
@AshKetchum said in SSL query:
free from startssl is a very good idea, instead of paying for a year on SSL for internal network.
I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.
Stick with Let's Encrypt for free certs.
-
@travisdh1 said in SSL query:
@AshKetchum said in SSL query:
free from startssl is a very good idea, instead of paying for a year on SSL for internal network.
I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.
Stick with Let's Encrypt for free certs.
I've used StartSSL for years. What is wrong with the service?
-
@JaredBusch said in SSL query:
@travisdh1 said in SSL query:
@AshKetchum said in SSL query:
free from startssl is a very good idea, instead of paying for a year on SSL for internal network.
I don't trust startssl to be secure at all tho, you can get a google.com cert without much problem. It's annoying because they somehow got included as a valid certificate provider.
Stick with Let's Encrypt for free certs.
I've used StartSSL for years. What is wrong with the service?
Looks like they did resolve the one I was thinking of. http://www.securityweek.com/startssl-flaw-allowed-attackers-obtain-ssl-cert-any-domain
Generally just a very lackadaisical take on security, half their answers to vulnerabilities are "Yeah, we know about that, it's not a problem."
-
Hmm I learn a lot on this SSL project. The IIS, SSL and even read some about Comodohacker..interesting...
-
@JaredBusch said in SSL query:
Then you can make a new subdomain for one of them such as PBX in this example.
This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.
-
@Dashrender said in SSL query:
@JaredBusch said in SSL query:
Then you can make a new subdomain for one of them such as PBX in this example.
This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.
What's the difference? It's both a subdomain and a hostname.
-
@scottalanmiller said in SSL query:
@Dashrender said in SSL query:
@JaredBusch said in SSL query:
Then you can make a new subdomain for one of them such as PBX in this example.
This is a host name, not a subdomain. A subdomain would be like Omaha.nebraska.com where Omaha is a subdomain that has its own hosts listed, i.e. dodge.omaha.nebraska.com where dodge is the host name.
What's the difference? It's both a subdomain and a hostname.
Well I was going to ask if in my example Omaha. nebraska.com could point to an IP, but then I thought about that, and yes... I know that nebraska.com can point to an IP, soooo why not omaha.nebraska.com?
-
It is not possible to use ssl Certificate in your Local area networks from 1st November 2015. For more detail information you can read here http://www.symantec.com/connect/blogs/important-changes-ssl-certificates-intranets-what-you-need-know.
-
I'm still unsure why companies will no longer issue certs for .local domains. It seems to me that complicates things for those of us who are stuck with them for a while longer.
What I've heard some folks wanting to do is make their internal domains something like int.mydomain.com, which isn't really all that terrible... but it can complicate things if you want to use an external web host that expects some level of control over DNS.
-
I'm still unsure why companies will no longer issue certs for .local domains. It seems to me that complicates things for those of us who are stuck with them for a while longer.
What I've heard some folks wanting to do is make their internal domains something like int.mydomain.com, which isn't really all that terrible... but it can complicate things if you want to use an external web host that expects some level of control over DNS.
Since they don't work on the internet, why do you need a CA to issue it? Stand up your own internal CA, publish the root via GP to your clients and go to town.
