Security

When does it make sense to use a certificate authority on an internal network?

Managing computer and user certificates is a complicated matter. IT pro Rick Vanover shares some guidance on when it may make sense to use this technology.

Certificates have not historically been my favorite area of technology. While we have to use certificates, most applications will create a self-signed certificate. This is not a good practice at all, however. When do you decide to use a certificate authority (CA) server on your own network?

This is a complicated question, but I will share some points that I have learned along the road about when it makes sense to install a local certificate authority. In many situations, people deploy the Windows Active Directory Certificate Services role. Having centralized management with Group Policy is a requirement to scale the reach of the policies to many users and computers. One trick is to deploy certificates through Group Policy, which is especially helpful with device certificates.

One of the best examples is to configure a wireless network to require a computer (or device) certificate for access. This removes the risk of passing around passwords for accessing wireless networks. This would be applicable for organizations wishing to provide wireless access in an office setting to designated systems, instead of providing public access or using passwords.

Having a CA in place can also address the friendly reminders from Internet Explorer’s certificate warning messages. If the local CA certificates are trusted on the domain, replacing self-signed certificates can make a much more pleasant experience for internal users.

A certificate can also be the second factor for VPN access. If the VPN access policy checks for the device certificate on the computer in question, then that can be the additional factor outside of a username and password. Having multifactor authentication, of course, is much more secure than simply using a username and password (single factor), and having the computer certificate managed by authoritative policy allows additional protection.

Installing a CA won’t help in every situation, however. Any external-facing systems won’t benefit from using the certificates created with the internal solution, even if they are located on the internal network and serve content to the external networks. This can include Web services or anything that uses secure socket layer (SSL) communication.

What criteria do you use to determine if you need to start hosting a CA? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

13 comments
tom.white
tom.white

Has the desire to use EFS caused anyone to roll out their own CA? In my previous roll it was a combination of that, and wireless authentication, that drove us to do it.

SMparky
SMparky

I haven't really worked with certificates so pardon my ignorance. I was playing around with the 2008 R2 RD gateway service and they mentioned 3 different ways to implement certificates. All they say about self signed certs is they aren't recommended. It seems like the cheap & easy way for a small shop to go. Yes, it's more of a hassle, but if you're only dealing with a small number of people and a small budget what are the drawbacks?

stephen.sandifer
stephen.sandifer

Here's the logic: too many IT shops follow a hard shell/soft inside security model. Once the firewall is in place no more thought is given to security. If you understand that you may have intruders on your network (and that those intruders may just be malware apps) you need to encrypt as much of your internal communications as possible. Therefore, SSL certs. And, to manage them, a Certifiate Authority. AD's great for rolling out root certs, but possibly not so good at managing them. Check out the Dogtag project under Fedora or, (if you're adventurous) try installing OpenSSL on a Unix box and rolling your own root cert.

dsunil
dsunil

i want full fledge plz send the full fledge details of C A

bgrac3
bgrac3

We have an old Win2k server that has our CA on it for wireless authentication inside all our office facilities. This server is now EOL and the last one with the 2K OS on it. If we were using any kind of Virtualization for servers this would of been easy to replace or upgrade. Earlier this year I attempted to move the CA to a different box and failed miserably. Ended up using our freebee from Microsoft support which also did not go well at all. Is there a better way to move the CA yet? That was my first experience with CA and needless to say I would really like to get that server out of our data center.

josiah
josiah

Greetings my name is Josiah Munson, I am a Systems and Network Consultant working primarily with k-12 education, which in my experience usually operate in mixed environments with both PC?s and Apples. Making these two talk and work well together is always a challenge. I am in the planning stages of rolling out a CA (Server 2008) for the purpose of domain security, Wireless Access, and network device security. The particular district I am working with currently has a robust infrastructure with authentication centered on you guessed it Active Directory. We plan on pushing out the certificates with Group Policy to the PC's, and we are still working on a method to push out to the MAC's possibly an OS10 server. We are using AD authentication on the MAC's already. The network devices will be done manually. The primary motivation for rolling out a CA is the user experience. Minimizing the certificate errors, and protecting sensitive information (usernames and password) from sneaky students.

micheldufrenoy
micheldufrenoy

And, for the rest of us? The center of the world is not Redmond. I am consultant, working primarily with Mac OS X clients and Linux servers.

paul.gallant.iit
paul.gallant.iit

The only problem using self signed digital certificates is that you have to install the Root CA certificate (.cer without the private key) on all you PCs. You can distribute the file as an embedded object in the Word document which describes the installation procedure for example. In fact, the self sign Root CA is more secure than Verisign or Entrust. What these compagnies are not telling about is their trust chain flaw can be exploited by sslstrip application. To protect yourself against this, you have to install their trust chain on all your computers which is as painful as deploying a self signed Root CA. That's very annoying because the idea of using Verisign or Entrust digital certificates is that the Root CA is pre-installed in the OS... Personally, I like using TinyCA on Linux to manage my digital certificates. I simply modified the script using latest version of OpenSSL to generate Microsoft compatible X.509 certificates with extended OIDs... The only problem is when you need to install the digital certificate with its private key on Microsoft IAS (You have to grant read/write permissions to everyone on the folder which is holding the private key! Shame on Microsoft security designer!) In short, don't believe what everybody is telling you... Even what's written is CISSP or Secure+ knowledge books! Black Hat fests are more instructive if you want to defend yourself against real security threats! ;-)

b4real
b4real

To another server that is capable of handling an additional workload (disk/ram/cpu). Maybe consider VMware Server and using a cold-clone conversion tool. You woon't be able to P2V that type of system well when it is online.

garnerl
garnerl

OpenSSL comes with Linux.

drodriguez
drodriguez

You have made a few statements that are stretching the truth. First, there are many things to worry about in addition to SSLStrip (Checkout Jay Beale's "Middler 2.0"). If you are maintaining the Root CA with laxed security an attacker can simply use that Root CA to sign their own certificates to MITM connections. You are also giving up the benfit of having a vendor provide a good deal of security over the actual certificate signing process itself. Remember that ANY Root CA you decide to trust can sign certificates, you are open to MITM attacks on any SSL connections regardless of the domain (internal or external) if the Root CA itself is compromised. I find it very interesting that you mention SSLStrip and fail to mention that Moxie, himself comdemned the use of Self-Signed certs in the very same Presentation that he used to release SSLStrip to the public. I think Self-Signed certs should only be implemented in an environment where the admins are willing to apply very strict rules and permissions on the Root CA. Although there have been attacks on the SSL chain, I have yet to hear any Major SSL vendor have their Root CA compromised directly. The SSL attacks to date are going after the certificate chain and the requests leaving the browser, not the CA itself. Most Microsoft admins have had to deal with compromised servers several times throughout their career and a compromised Root CA could create problems far beyond what an AV solution can take care of. Last thought, if you decide to implement a Root CA and are not willing to take the additional steps to secure the CA, you are just asking an attacker to start signing certs to MITM your connections.

b4real
b4real

Can you automatically deploy certs to masses of systems? Just curious - I am not a Linux guy, but wonder about the various distros and that approach.

Editor's Picks