How do I configure my system to trust a CA for a specific subset of domains?

2

The company I work for has a number of internal web services accessible over HTTPS. These services use SSL/TLS certificates signed by an internal certificate authority which is only trusted by computers issued by my company. Occasionally, I need to access these services from my personal computer at home. Understandably, this triggers a security warning from my browser. Up until now I've just been ignoring those warnings, but recently I've started to feel a bit uncomfortable about that practice as it leaves my connection vulnerable to man in the middle attacks.

As a solution to this problem, I want to trust the root certificate used by my company on my computer at home. In keeping with the principle of least privilege however, I only want that CA to be trusted for domains my company controls, e.g. *.internal.examplecompany.com. How can I do this? The main computer I am interested in configuring this way is running Ubuntu 12.04 LTS. (I am also interested in doing this for other devices running Windows 8 and Android, but won't ask about those right now in order to avoid making this question too broad.)

Ajedi32

Posted 2014-10-16T15:31:15.423

Reputation: 1 243

Related: http://serverfault.com/q/774930/176688

– Ajedi32 – 2016-05-05T13:19:27.483

Answers

2

There simply is no feature built into standard browsers or SSL clients to allow this. Basically a CA is either fully trusted, or not trusted at all.

I suppose it may be possible that there is some kind of plugin to allow this, but I am not aware of any.

Zoredache

Posted 2014-10-16T15:31:15.423

Reputation: 18 453

0

Occasionally, I need to access these services from my personal computer at home.

It depends on the software that uses the services. In the case of browsers....

I want to trust the root certificate used by my company on my computer at home. In keeping with the principle of least privilege however, I only want that CA to be trusted for domains my company controls, e.g. *.internal.examplecompany.com. How can I do this?

You can't. The browser security model (its a real thing) pivots around the CA Zoo, where any CA can certify any site (even if its the wrong CA). There is clearly no interest in changing that model. From Proposal: Marking HTTP As Non-Secure:

Open question: do you think the browsers will support a model other than the CA Zoo for rooting trust?

And the answer from the Chromium team Proposal: Marking HTTP As Non-Secure:

Chromium has no plans for this

jww

Posted 2014-10-16T15:31:15.423

Reputation: 1

Could you provide a link to more information on the CA Zoo model? Google hasn't been very helpful in turning up information on that for me... – Ajedi32 – 2014-12-21T15:28:57.433

Asked: 2014-10-16T15:31:15.423

Viewed: 118 times

Active: 2014-12-21T07:15:30.970