Free SSL certificates

Started by Dieselboy, April 20, 2015, 02:52:57 AM

Previous topic - Next topic

Dieselboy

So in short.. we use Cisco Jabber. Jabber connects to CUCM. Unity and the Jabber servers for encrypted comms. All 6 servers are using self signed certs and we all get cert warnings when within the office because I can't push out certs to Macs via GPO :)

I recall years ago that you could get very cheap or free SSL certs for internal stuff that was not to be used on the internet. I can't find info on this specifically now but I do find this:
https://www.digicert.com/internal-names.htm

However that is fine since when I initially proposed a proper domain structure I did some digging and found that we should be using a sub domain of our internet domain. So all our hostnames are servername.j.domain.com
I wonder if the free certs for internal stuff is no longer available due to the above reform in 2011..

I have found this website: https://www.startssl.com/?app=39
but they only offer 1 year free certs... Don't really want to have to re-do certs every 1 year. Once is bad enough..

Is anyone using free SSL certs? Are 3 yrs available?

Netwörkheäd

Free means generate from AD. If they're just for internal identification, that's all you need.
Let's not argue. Let's network!

wintermute000

#2
Yeah read up on the joys of PKI, but there is no reason why you can't use an internal CA. Just remember that everybody has to enroll to the same CA - I'm not enough of a specialist to understand how CA's cluster/backup, but that's the crux of it - as long as everybody has certs signed by the same CA and (this is the bit that puts everyone off) has that CA's public key in the correct location for that particular function then thats fine, you'll just have to put the CA's cert on all hosts that will be using it (as well as manually enroll of course).


Relatively trivial for say PCs in AD, but for say smartphones, that's another story with a whole different set of BUY BUY BUY tools.  Even for PCs there's more to it than meets the eye e.g. the location where you put trusted CAs for https websites is not the same as the location for dot1x, for example, and then behaviour varies between win 7, 8, 10, OSX.... etc.

I believe that this is the last year that commercial SSL providers stopped signing internal only domains. This was basically a RFC non-compliant 'hack' so people can use certs without having to push out their CAs to each client since most PCs will have the big commercials CA trusted. I have a client that was doing this for years and is finally realising that they have to commit to re-architecting their certificate environment within 12 months (when their last commerically issued cert will expire)

Having done extensive work on PKI secured DMVPN and lived through a certificate expiry on a dot1x secured wifi (and the reverse engineering to fix it), god I hate PKI lol.  I'm sure deanwebb is happy to elaborate more

Fred

The startssl certificates are fine for personal use. I put one on my home server and my problems are solved, and it's not a pain to renew it every year. I would not do this in a corporate environment, and I'm pretty sure it's against their licensing.

For things like internal services, an internal CA is ideal. This can be done through AD Certificate Services, but my experience is that it's super complex, most people do it wrong, and a bad implementation is not much better than no implementation. At my current job, we brought in a contractor to do it right, and it does make it very easy once implemented.

At my last job we didn't have the expertise, so we generated our CA with openssl and wrote a couple batch scripts to sign CSR's. We then just limited access to the private key and passphrase to a few key individuals. It's still not perfect, but it worked pretty well.

After that, you can deploy the CA to windows machines via group policy. Mac machines are a different story, and mobile wasn't a concern back then. For mobile devices today, you probably should have an MDM, and if you don't, you should probably check out the free meraki MDM solution. I believe it can push out certificates, but possibly just for VPN access.

SimonV

EFF is launching a public CA soon (together with Cisco and a few others) which will offer free publicly signed certificates

https://letsencrypt.org/

Haven't looked into the details though, I'm doubting it will be possible to use it for internal domains.

deanwebb

Just open a port to their CA, and it will be very usable on internal domains that can configure that arrangement.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Sorry to necromance the thread but I'm looking for a cheap (or free) SSL cert for my SRX in the office. I remembered this thread so I'm now thinking of using StartSSL. Are you still satisfied with them?

Dieselboy

Yes but check if they have re-issued their root certs first.. Google and Firefox decided to distrust their root certs and so I was getting CERT_CHAIN_INVALID errors or something along those lines and it's more tricky to advance passed compared to simple self signed cert warnings. Some of my users were a bit confused and startSSL were prioritising their paid for customers first causing us extended hassle, so I just got a wildcard cert from a large vendor to tie me over for 12 months, then I'll go back to them.

If the SSL cert problem is fixed now, I have no issues with them at all.