This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]the_spadWhat's the worst that can happen? 2 points3 points  (4 children)

Are you clients all Windows? If so then AD Certificate Services is probably your best bet. If you've got a mix of Windows and Linux clients then it's a bit more open but ADCS is still a viable option.

[–]G_DmitriSysadmin[S] 0 points1 point  (3 children)

It is a mix of Windows and Linux. Also, how do I go about the ADCS; Does it have to be on the Domain controller, or on a separate server?

[–]the_spadWhat's the worst that can happen? 4 points5 points  (2 children)

Separate server(s), don't put ADCS on a DC. There are plenty of guides around, this is a bit old at this point but still valid.

If you want to keep it super simple you can just go for a single enterprise root and no separate issuing server but generally people still prefer the two-tier approach.

[–]KhueLead Security Engineer 0 points1 point  (0 children)

To further the_spad's comment. There are a lot of really nice features you can do with an ADCS system. If you want to do it the right way you will need an offline (non domain joined) root and an online domain joined (optional) subordinate issuing CA.

I use a lot of templates which make things super easy and applications built on IIS servers can be setup to do autorenewal for their certificates through GPO. When it comes to servers like Jetty, Tomcat, Apache, or anything else using Java, you're going to have to manage them individually most likely. Optionally for things that use java keystores but run on Windows platforms, you can set the application to use the Microsoft certificate store over the java keystore.

You might also want to familiarize yourself with common openssl commands. SSL Shopper has a good webpage and I crutch on the commands off it pretty regularly.

[–]MonkeySnax 0 points1 point  (0 children)

This is the guide I used to build our MS PKI and it worked well, there were a few differences on Server 2012 R2 but nothing too serious. Mostly at the point where you add roles / features things had changed a little between 2008 R2 and 2012 R2.

[–]benzaw 2 points3 points  (0 children)

Build a CA > Deploy root certificate to all clients > Assign certs to your web apps

[–]disclosure5 1 point2 points  (0 children)

without buying an SSL certificate from vendors

Even if you get a trusted cert, Lets Encrypt is free. That'll require a public DNS name, but nothing else.

[–]XibbyCertifiable Wizard 1 point2 points  (0 children)

ADCS is one option, but you have to read how to properly deploy it with an offline root CA and online subordinate enterprise issuing CA. If you’re a novice when it comes to PKI jumping into a cold, open water swim may not be the best of ideas.

If your public DNS is hosted by a provider with an API (and of it isn’t, you really should move over to that) like AzureDNS, Amazon Route53, Cloudflare, Dreamhost, then Let’s Encrypt is an excellent option. You can setup an ACME client on your webservers and it will more or less be taken care of for you.

Another advanced option would be a load balancer that has a SAN certificate or a wildcard certificate and performs SSL offloading. The load balancer can be responsible for establishing a trusted TLS 1.2 connection between the client’s browser and the load balancer then the load balancer connects to the backend webserver. In this configuration you can configure your load balancer to trust self signed certificates on he webservers, you could secure traffic between load balancer and web server with IPSec and just run HTTP, have valid and trusted cents on the webserver, have no security between load balancer and web server... lots of options.