Advertisement
We have several internal websites at our workplaces, dating back to 2001. I do not know why, as I wasn’t admin at the time but several internal websites were made that do not use fully qualified domain names. Most of the sites are simple things like http:\\it or http:\\wiki or things of the like. Because of such, I cannot use an external Cert Authority.<\/p>\n
I want to introduce Encryption to all internal traffic, and cut the HTTP protocol out as much as possible.<\/p>\n
Im dealing with the links via scripting, but the problem I am having is the certs, which was the part I thought would be the easiest.<\/p>\n
I can create self-signed certs to match the sites Common name, but even after adding them to a computers trusted root cert authorities and personal store, browsers still won’t trust them.<\/p>\n
Will I need to setup a Cert Authority internally to make certs that the browsers will trust, or is there a way to get the computers to trust self-signed certs, or am I doing this all wrong to start with…?<\/p>\n
I apologize if I have posted this in the wrong area–I did sincerely try to post this correctly. I try to use google for most of my research but information on this is fragmented and I am unsure of best practices for my scenario. My apologies if I missed something simple.<\/p>\n
@sslcertificatesslreseller7500<\/a><\/p>","upvoteCount":5,"answerCount":5,"datePublished":"2021-08-18T23:26:02.000Z","author":{"@type":"Person","name":"spiceuser-qg7ef","url":"https://community.spiceworks.com/u/spiceuser-qg7ef"},"acceptedAnswer":{"@type":"Answer","text":" I found that the problem was that the certs I was creating using IIS and Powershell were missing a bit of information in the files. I had defined other Common names and Subject alternative names, but I did not set an \" Authority Key Identifier\" value when creating them, which was not an option in IIS or Powershell. I followed the instructions on https://stackoverflow.com/questions/46349459/chrome-neterr-cert-authority-invalid-error-on-self-signing-certificate-at-loca?rq=1<\/a> and used the Key Store Explorer tool to create the cert, then exported it as a P12.<\/p>\n Once I did that, I imported it into a Windows computer and Exported it as a PFX (Because I was using Central Cert Store and it didn’t like P12) with the private key and gave that to the webserver. At least during testing, computers that had the public portion brought into the trusted root authorities store are no longer getting complaints in Browsers. I presume I will be able to use a GPO to seed the certs out across the network.<\/p>","upvoteCount":0,"datePublished":"2021-08-19T12:31:37.000Z","url":"https://community.spiceworks.com/t/looking-for-best-solution-to-encrypt-internal-iis-traffic/808838/5","author":{"@type":"Person","name":"spiceuser-qg7ef","url":"https://community.spiceworks.com/u/spiceuser-qg7ef"}},"suggestedAnswer":[{"@type":"Answer","text":" We have several internal websites at our workplaces, dating back to 2001. I do not know why, as I wasn’t admin at the time but several internal websites were made that do not use fully qualified domain names. Most of the sites are simple things like http:\\it or http:\\wiki or things of the like. Because of such, I cannot use an external Cert Authority.<\/p>\n I want to introduce Encryption to all internal traffic, and cut the HTTP protocol out as much as possible.<\/p>\n Im dealing with the links via scripting, but the problem I am having is the certs, which was the part I thought would be the easiest.<\/p>\n I can create self-signed certs to match the sites Common name, but even after adding them to a computers trusted root cert authorities and personal store, browsers still won’t trust them.<\/p>\n Will I need to setup a Cert Authority internally to make certs that the browsers will trust, or is there a way to get the computers to trust self-signed certs, or am I doing this all wrong to start with…?<\/p>\n I apologize if I have posted this in the wrong area–I did sincerely try to post this correctly. I try to use google for most of my research but information on this is fragmented and I am unsure of best practices for my scenario. My apologies if I missed something simple.<\/p>\n