SSL Certificates for local domain?

[Socrates]

Hi all,

Please go easy on me, this is my first time, and have got a lot of help from ya'all for my setup, a BIG thanks for that.
I have a quick question, not sure about what i am asking is dumb, or even if its possible, or am i looking or expecting too much of it.
This is regarding SSL certificates, how do you enable ssl certificates for your home/local domain?

I am using the web browser for manging the VMware, not the client version. I use chrome, and the connection is https, and it shows unsecure connection in chrome. Same goes for Sophos web admin page, the connection shows insecure, and so does FreeNAS.
I use LetsEncrypt's cert-bot for the vm that is for webhosting.

How do you enable, create, manage local certificates? through AD? Or get certificates from individual applications and store them locally on each browser on multiple laptop's/computers?

 

[PigLover]

I use the certificate wizard in pfSense. I created a local certificate authority create certs from it.

Of course now that all the major browsers are being picky about strict trust, you also have to install the root certificate of your local authority in your browser on your local machines.

Sent from my SM-G950U using Tapatalk

 

[wsuff]

I did the same with PFSense but also did it with CFSSL [Cloudflare wrapper for openssl] on linux and windows CLI based tho. Once you add the created certificate auth to your devices you would just need to update FreeNAS and any other web based applications to use certs from that CA. This creates the trust since when you add the CA is are telling it to trust it just like any commercial CA. Xca was also suggested for a GUI option for SSL certs but not sure how long until a newer release. xca

 

[EffrafaxOfWug]

Depends on the sort of stuff you have available to you, but I set up my own command line CA using only openssl - many tutorials available in setting this up to various degrees of complexity. Not very easy to manage if you have more than a dozen or so nodes I imagine, but works well enough for me.

As PigLover mentions, you'll almost certainly want to export your CA cert from whatever you end up choosing and importing it into your OS/browser in order to not have browsers treat you like a rented red-headed step-mule.

 

[Socrates]

Thanks for your replies guys, much appreicated.
Is there a tutorial on how to do this using Sophos UTM 9?
I guess i am still lacking the knowledge on what to look on up google.

 

[NetWise]

So if you want to go way too deep, and learn about AD PKI CA's - HOWTO: Install a 2 tier Windows 2012 R2 AD Integrated PKI Infrastructure That's a coworker of mine, and his writeup is more detailed than mine. I can make it work, but I don't understand the deep nitty gritty of it all. It's not fun, it's not terribly exciting, but it works pretty good.

 

[caphesua46]

Ssl authentication is one of the solutions to protect users when browsing the website, this is also one of the criteria of google in the coming time.

 

[Socrates]

So if you want to go way too deep, and learn about AD PKI CA's - HOWTO: Install a 2 tier Windows 2012 R2 AD Integrated PKI Infrastructure That's a coworker of mine, and his writeup is more detailed than mine. I can make it work, but I don't understand the deep nitty gritty of it all. It's not fun, it's not terribly exciting, but it works pretty good.

Thanks for the link. Though its extremely complicated and very deep, i'll go through this, and see if this helps.
So can i add a certificate in the AD, and will it be propogated accross the home network in any browser?

Or do i need to add these certificates manually to every browser, back them up, and keep adding them each time i log in to a new machine, or a newly formatted OS?

I was wondering if anyone else has a tutorial on how to generate these CA's for Sophos UTM

 

[Rand__]

From how I understood this all users would have to use the the "enrollment" url to download the root certificate.
You would then have to create additional certs for sophos and whatever other servers you want and import them there. Since those would be certified by the same intermediate authority as soon as you have imported the root CA you would also truste the newly created Sophos certs.

This will probably work but seems overly complicated for this use case. Unfortunately I have not found the ultimate guide either. I also am looking for a guide encompassing AD and other internal webpages (Sophos,VmWare*,FreeNas,Plex). Have not found one yet that I liked

 

[NetWise]

It's certainly a lot of work. We did it originally to automatically create client certificates, to assign to machines, to pre-publish and secure WiFi to company computers, and just wanted to make it work. Which means you need certs for each machine. Which means you need a way to make that happen (eg: AD/GPO), which means you need an AD way of organizing it all. But once it's done... it's done.

You don't add the certificate to AD exactly. You add it to the device. The cert trusts the Root CA. In this case that's your DC vs Comodo, Symantec, etc, etc. But any browser should be able to use it and lookup the Root CA, yes.

 

[Rand__]

@NetWise - I hope you don't mind asking me a few questions re your co-workers guide?

1. Not sure whether I need Certificate Revocation Lists or not and if those need to be on a webserver?
2. I assume this will work without web enrollment - I only have a few boxes that I'd add certificates manually to.
O/c if I need the CRL then I can add the web enrollment too
3. Can the Enterprise CA be placed on a/the PDC?
4. I assume I should be able to prolong the 6 months republishing time to a more reasonable (for home use) 12 or 24 months?

 

[nitrobass24]

What specifically are you attempting to achieve with SSL on your Sophos?

Do you want an SSL certificate that can be used with your external hostname (e.g. Nitrobass24.com) for things like SSL VPN or Reverse Proxy?
Do you want an SSL certificate on the sophos for the internal address (e.g. gateway.nitrobass24.local) so you dont get the red bar when you go to the sophos webadmin page?
Something else?

There are many ways to get an SSL certificate, but the right way depends on its intended use case.

 

[Rand__]

I assume the OP would want the internal admin page to stop throwing SSL errors (so do I )

 

[nitrobass24]

Well assuming you just want to use the self-signed certificate by Sophos its pretty simple.

1. Log into the Web Admin Interface -->Management-->WebAdmin Settings--> HTTPS Cert
2. Re-generate the WebAdmin Certificate - In the box make sure the hostname or IP address you will use to log into the portal is listed here (if using a hostname make sure it resolves properly from your system). Click Apply.
3. Import CA Certificate - Click the Import CA Certificate button and it will download your CA in a .cer format.
4. Open and install this CA on any system you plan to access the Web Admin portal from. Needs to be installed in the "Trusted Root Certification Store".

Only issue with this method is if you plan to access from many computers, you have install the self-signed CA on every machine. Alternatively, you can buy a trusted SSL cert from a provider like Comodo, godaddy, etc. and import all of those onto the Sophos Box.

 

[Rand__]

Yes, thanks And then the same for 2 Freenas boxes, vCenter, multiple ESX, IPMI and what else
So a centralised way does make sense, just not really Enterprise like but SMB like

 

[K D]

Got a wildcard cert from comodo and it works for everything except vcenter.

 

[JustinH]

Got a wildcard cert from comodo and it works for everything except vcenter.

How much was it?


Sent from my iPhone using Tapatalk

 

[Tom5051]

For internal use just to fix the VMware login page, I wouldn't bother going to the trouble of setting up a root CA and using custom certs on ESX.
Just add the root certificate for the untrusted SSL cert to your trusted root provider list. You won't see the error again and everything is still secure.
You would not do this for a public webpage SSL issue obviously...

 

[K D]

That's what I did following this article.

How To Install the Root Self-Signed Certificate from vCenter 6.0 -- Virtualization Review

 

[K D]

How much was it?


Sent from my iPhone using Tapatalk

$49 per year for 3 years through reseller cheapsslsecurity.com


Sent from my iPhone using Tapatalk