I am developing an internal web application. I think it would be a good idea to secure the local web server with an https certificate. I read several postings recommending certificates on local servers. This is a large company with its own Certificate Authority, i.e., the Networking group creates the certificates. This group told me to create the CSR so that they can create the certificate.
Now I found numerous tutorials for creating a CSR. The IIS web server has a CSR/Cert tool, and there is also a tool in the Windows MMC. The open source tool OpenSSL seems also useful.
My question now is if it is correct to let a software developer create the CSR in the first place. Of course I will be able to figure out how to create a CSR, but is this the best way to keep the network secure? Should, in a large company environment with numerous servers and developers, security not be handled centrally by the networking group or by the system manager(s)?
This is a company environment where I, as a developer, am not trusted to be admin for my own development pc. But the system manager lets me decide to operate a server with http or https, lets me create and manage private key, and signs my CSR to create a certificate.
How can I be trusted, as a humble developer, to keep the primary key secret, to fill the CSR with true information, to install the certificate where it should be, and to renew the certificate in time?
Is this really secure, and how the CSR is meant to be handled?
Or should system mgmt enforce the use of https, and create the CSR itself, take care of the primary key, install the certificate, and take care of renewal?
I believe this is a general question, as many tutorials exist on how to create the CSR, but without discussing WHO should create the CSR and the implications on the overall security of the company network.