Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

What do you us for Internet Certs inside the company?

Daniel Nashed – 28 August 2020 09:45:54

For external servers Let's Encrypt is a great option to automate certificate management.
But as long you are not using offical DNS names registered in combination with "split DNS" etc you can't use Let's Encrypt to manage your certs internally.
Also Let's Encrypt has some limits for the number of certificates you can request per domain.

What type of CAs? Manual or automated?

So I am curious what type of CAs you use out in the field.
And how do you integrate certificate request flows?
Do you have automation today?

Microsoft CA.

I guess that's one of the most commonly CAs used today in combination with AD?

I just looked again into the Microsoft CA yesterday, because at one of my customers we need to renew around 40 certs.
The only way they offer for non-windows machines which could request them automatically is via the Microsoft CA website.
Depending on the configuration and your user permissions you can get certificates on the fly.
Or just kick of the process pasting a CSR and get a request number which can be used later to retrieve the certificate.

For what I needed I wrote a shell script leveraging curl to submit the request and to later download the certificate.

The interface doesn't offer any type of REST request with a defined interface and I am not aware of any official interface. Maybe someone has an idea?
I am just simulating the behavior of the website using curl for now. The only alternative way is the command-line which has to be executed on the CA or an authorized machine.

So I am interested to hear what type of CAs you use and how the process is to get a certificate issued.
And what automation you have implemented today.


-- Daniel


Image:What do you us for Internet Certs inside the company?


Comments

1Darren Duke  03.09.2020 16:08:55  What do you us for Internet Certs inside the company?

MS CA. It's a pain, but less so than a OpenSSL CA. Trying to get MS's own CA website to use a MS CA generated IIS SSL is an interesting battle with Google searching.

Make the cert expiration dates out to as long as you dare otherwise you spend a lot of time renewing and reconfiguration (ADFS signing and decrypting anyone?...one year by default? really?).

2Uwe Janssen  06.10.2020 6:31:33  What do you us for Internet Certs inside the company?

we use official certs from DigiCert or DFN-PKI

With the DFN-PKI, CSR and private key are automatically generated during the cert application via their JAVA Gui based on domain name or host name. The cert and the key are downloaded via the JAVA-Gui.

The DFN-PKI uses and offers a SOAP interface.

https://blog.pki.dfn.de/2019/03/lets-dfn-pki/

However, the DFN-PKI is not a commercial cert provider. Only members of DFN e. V. (e.g. universities, research institutes) can use the service.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]