1

I want to setup a ticketing system in my company for managing/tracking support tickets and a knowledge-base of past issues.

I am having trouble figuring out the best way to encrypt the traffic to this server. It won't be externally accessible and I don't want to register a domain for it.

If I could somehow self-sign a cert and then trust the cert on all the machines in our network via Group Policy I think my job would be done, but I'm having trouble finding out how to go about that.

Any direction would be greatly appreciated! Thanks.

Justin Grimes
  • 127
  • 1
  • 2
  • 10
  • https://www.google.com/search?rlz=1C1NHXL_enUS758US758&ei=XhjFWt_mDorbjwSF7JPICA&q=deploy+self-signed+cert+with+group+policy&oq=deploy+self-signed+cert+with+group+policy&gs_l=psy-ab.3...7917.9069.0.9268.6.6.0.0.0.0.90.470.6.6.0....0...1c.1.64.psy-ab..0.0.0....0.uKtydJ6bkAw – joeqwerty Apr 04 '18 at 18:27
  • Active Directory Certificate Services? – Michael Hampton Apr 04 '18 at 20:03
  • I was able to generate a cert and added it to the Windows Trusted Root CA's list but I'm not sure how to have ampps use this cert instead of whatever it's trying to use. – Justin Grimes Apr 04 '18 at 20:42

1 Answers1

1

I believe you are looking for is a way to use a self-signed certificate to host a web app internally to your network an have it be trusted?

If you are using IIS to host the site you can make a self-signed certificate on the main server home page under "Server Certificates" and click on self-signed certificates on the right.

Server Certificates

Then add a binding to the site for HTTPS support and select the certificate to use for that binding.

Once that is complete add the certificate to Active Directory.

Radar5000
  • 51
  • 9
  • That's exactly what I'm trying to do. Thanks for the walk through. I'm using ampps at the moment but I'm going to try again with IIS tomorrow using your advice. – Justin Grimes Apr 04 '18 at 23:23
  • @JustinGrimes Good let me know if you need me to clarify any part of it. It was confusing for me the first time I did it but it's not that bad. – Radar5000 Apr 05 '18 at 14:37
  • Sorry it took so long to get back to you. I had an urgent matter come up last week. Since then I've given up on IIS because I don't have a free license for Server 2008 and it seems like overkill. I setup a linux VM (since I'm more comfortable in a linux environment anyway) and setup the server there. I was able to generate a self-signed cert but no matter what I do or how much information I add to it I still cannot get it to be trusted. – Justin Grimes Apr 11 '18 at 19:06
  • I added the local IPv4 of the VM as the name for the CA but even when it's added to a Windows Certificate Store as a CA it still won't trust the cert. By using Chrome and pressing F12 on the website I can see that Chrome throws the message "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address." I've tried to specify this and when I view the cert it appears to contain a valid domain name. – Justin Grimes Apr 11 '18 at 19:08
  • Im curious about 1) what kind of technology stack it the app is running and 2) what is the dominant os for your current servers? If your running Windows server or just a windows desktop it does not cost anything to enable the is feature and I figured is would be less headache but if your running primarily Linux then I see how that can be overkill. As to the current certificate what are the exact steps you are taking to add it? – Radar5000 Apr 12 '18 at 01:27
  • Here is a Microsoft article on how to https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy – Radar5000 Apr 12 '18 at 01:37