Do you setup SSL for Intranet websites only
- 
 Self-signed isn't too bad if you have a way to install your own Root CA to the computers. 
- 
 In a windows environment with AD I setup a domain CA and all the servers and devices get an internal SSL that is trusted by the devices joined to the domain. That's the only use I do for internal SSLs but it takes some time to setup though. 
- 
 @black3dynamite said in Do you setup SSL for Intranet websites only: Self-signed isn't too bad if you have a way to install your own Root CA to the computers. That is not self signed. That is signed by a trusted (local) CA. 
- 
 I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it. 
- 
 @fiyafly said in Do you setup SSL for Intranet websites only: I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it. Here’s a few sites I’ve been using to setup a local CA. This one is pretty basic. 
 https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/https://jamielinux.com/docs/openssl-certificate-authority/introduction.html 
- 
 @jaredbusch said in Do you setup SSL for Intranet websites only: @black3dynamite said in Do you setup SSL for Intranet websites only: Self-signed isn't too bad if you have a way to install your own Root CA to the computers. That is not self signed. That is signed by a trusted (local) CA. I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves. 
- 
 @scottalanmiller said in Do you setup SSL for Intranet websites only: @jaredbusch said in Do you setup SSL for Intranet websites only: @black3dynamite said in Do you setup SSL for Intranet websites only: Self-signed isn't too bad if you have a way to install your own Root CA to the computers. That is not self signed. That is signed by a trusted (local) CA. I think that local CA is us, we often think of it as self signed. Just a way to trust something that we signed ourselves. A local CA, is nothing like a system generating a basic self signed cert. A local CA can (more) easily be trusted by all browsers on the network. Self-signed certs would all have to be individually trusted. 
- 
 are there any good articles on how to create a local CA? 
- 
 @donahue said in Do you setup SSL for Intranet websites only: are there any good articles on how to create a local CA? https://mangolassi.it/topic/18175/do-you-setup-ssl-for-intranet-websites-only/22 The second link one is an updated version based on the third link. 
- 
 @dustinb3403 said in Do you setup SSL for Intranet websites only: Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites? You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do. You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in: allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all;It will not proxy anything unless it comes from an internal IP. 






