Self-signed Cert<\/p>\n<\/li>\n
Set up my own CA<\/p>\n<\/li>\n
Use public certs, but for internal addresses<\/p>\n<\/li>\n<\/ol>\n
Whats would you guys recommend?<\/p>","upvoteCount":9,"answerCount":5,"datePublished":"2019-08-01T11:56:51.000Z","author":{"@type":"Person","name":"gurpreetmann","url":"https://community.spiceworks.com/u/gurpreetmann"},"suggestedAnswer":[{"@type":"Answer","text":"
Been meaning to do this for a long time however whats the best practice in order to get internal servers protected with SSL Certs? I think there are 3 real options?<\/p>\n
- \n
- \n
Self-signed Cert<\/p>\n<\/li>\n
- \n
Set up my own CA<\/p>\n<\/li>\n
- \n
Use public certs, but for internal addresses<\/p>\n<\/li>\n<\/ol>\n
Whats would you guys recommend?<\/p>","upvoteCount":9,"datePublished":"2019-08-01T11:56:51.000Z","url":"https://community.spiceworks.com/t/ssl-tls-certificates-for-internal-servers/723629/1","author":{"@type":"Person","name":"gurpreetmann","url":"https://community.spiceworks.com/u/gurpreetmann"}},{"@type":"Answer","text":"
Depends on how you want to go about it. Self-signed certs are going to enable SSL but throw trust errors and are relatively simple. It’s not much harder to get a publicly signed certificate that has an intermediate chain, if required, and would automatically be trusted. Setting up your own CA also accomplishes this but is the most time consuming.<\/p>\n
If these servers are only ever going to be accessed internally by domain resources, I’d probably go for setting up my own CA.<\/p>","upvoteCount":0,"datePublished":"2019-08-01T12:12:23.000Z","url":"https://community.spiceworks.com/t/ssl-tls-certificates-for-internal-servers/723629/2","author":{"@type":"Person","name":"dancrane","url":"https://community.spiceworks.com/u/dancrane"}},{"@type":"Answer","text":"
Do you have funding for this project?
\nHow much labour do you have available for this project?
\nDo you or your team members have PKI skills?
\nAre you a cloud-based shop or all on-prem?<\/p>\nDepending on how you answer these questions will guide you in the right direction.<\/p>\n
Self-signed Cert:<\/strong>
\nI would not recommend this, it is hard to manage, and there is more room for human error.<\/p>\nOwn CA:<\/strong>
\nThere are free CA options, but then you have a learning curve, and you need to ensure that you maintain the CA which even if you use a free product, you take on additional labour cost.<\/p>\nPublic CA:<\/strong>
\nThere are some free option (e.g. LetsEncrypt), and there are paid options. It comes down to certificate management tools, infrastructure, root ubiquity (how trusted are their roots… even though this is internal it will impact the level of deployment depending on the age of your infrastructure), Vetting procedures, product and technical support.<\/p>\nIf you decided on a paid certificate solution, you have industry experts and knowledge, SLA’s, warranty and reduce your labour cost.<\/p>\n
let me know if you questions.<\/p>","upvoteCount":0,"datePublished":"2019-08-01T15:26:24.000Z","url":"https://community.spiceworks.com/t/ssl-tls-certificates-for-internal-servers/723629/3","author":{"@type":"Person","name":"rob-entrust-datacard","url":"https://community.spiceworks.com/u/rob-entrust-datacard"}},{"@type":"Answer","text":"
it’s fancy to do your own CA servers but in the long run, just go for number 3. saves a lot of headache.<\/p>","upvoteCount":0,"datePublished":"2019-08-04T03:59:53.000Z","url":"https://community.spiceworks.com/t/ssl-tls-certificates-for-internal-servers/723629/4","author":{"@type":"Person","name":"rinomardo2","url":"https://community.spiceworks.com/u/rinomardo2"}},{"@type":"Answer","text":"
It depends.<\/p>\n
For testing and such like, self-signed certs work well.<\/p>\n
For an internal application, set up an organisational; CA and go from there.<\/p>\n
If the certs are going to to be used somehow externally go public CA.<\/p>\n
What are your requirements?<\/p>","upvoteCount":0,"datePublished":"2019-08-04T18:05:51.000Z","url":"https://community.spiceworks.com/t/ssl-tls-certificates-for-internal-servers/723629/5","author":{"@type":"Person","name":"DoctorDNS","url":"https://community.spiceworks.com/u/DoctorDNS"}}]}}