-1

I have an Active Directory mydomain.local.

I have an intranet web site with Ubuntu and Apache intranet.mydomain.local.

I need an SSL certificate for this domain which can resolve all Active Directory clients.

How do we generate the certificate?

How will this certificate automatically resolve the Active Directory clients?

Do we generate SSL certificate on AD an then import to Ubuntu?

2
  • If you have AD CS, use it. Commented Jun 3 at 8:26
  • Certificates don't "resolve" clients, and clients don't resolve certificates. You probably mean will it work. Generally speaking, no, it will not. Additionally, there is almost never a need to use self signed certificates due to there multiple options available that use real certificates.
    – Greg Askew
    Commented Jun 3 at 9:40

1 Answer 1

0

Do set up a public key infrastructure (PKI) properly, have an offline root separate from the online issuing server. AD Certificate Services is one implementation, mentioning it specifically because you already are doing the work of AD. Other solutions exist.

Do not use self signed certificates for the end user. For example, https service on www.intranet.example.net Starting a new root of trust for everything is difficult to secure, and annoying to manage.

Do trust your root CA on each managed host (clients and servers), so that their TLS implementations can verify the certificate chains. This is done via cryptographic math, not anything inherent to a DNS name. exampleRoot1 can sign exampleIssuingCA1 can sign www.intranet.example.net.

Do automate the process of TLS servers renewing certificates. In this case, for Apache httpd. How exactly depends on the PKI software you choose. Worth noting that there are good options that make it easy to renew certs every day. Smallstep can run a private ACME (certbot) server plus other integrations, as an issuing CA in an existing PKI. So if you wanted, could have AD members and ACME clients, both getting certs in their preferred way, while sharing a root.

Do not use .local domains. That is reserved for mDNS. Get internet domain names from a registrar.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .