What are the current best practices for dealing with certificates for HTTPS for LAN-only sites, such as Intranets?

I presume there is some other option besides updating each browser individually to accept some self-signed certs. Likewise, Let's Encrypt is out of the question because there would be no outward-facing addresses to work from.

I ask because I notice that things have changed over the decades and now the browser do all but block self-signed certificates, along with putting up warnings of terrible things if the certs are allowed.

I think the most common approach is to run a private Certification Authority, and install your root certificate on your company's devices.

Alternatively, if your internal devices have valid DNS names - something like device.lan.company.com - then you may be able to use a wildcard certificate issued by a public CA, even though the devices aren't public-facing.

When the only access is for administration, and it's not something for general employee use, I just ignore it though. Stuff like printer config pages for example.

I run my own private CA. The Windows admins pushed out my CA cert through group policy. I use saltstack to add it to my *nix hosts. Firefox can cause issues because it uses it's own trusted CA list hardcoded into a DLL and a private list in each user profile instead of the OS ones like IE and Chrome. You will have to write instruction for firefox users to add the cert to their trusted CA certs.

the it's thing is called illiteracy, right?

I do not want to step out of place, but, I must say, I am somewhat nonplussed to find the grammar police nitpicking a computer forum.

you can serve the root certificate and then it's just a click on a link (and firefox will do the rest).
btw, are you saying firefox does this on both *nix and Windows?

third time i've seen it on LQ today!
not arresting (or insulting) anyone, but worth noticing i think.

I could be wrong, but I think so. It has been a few years since I have gotten into the weeds with Firefox. I just compared the Chrome and Firefox root CAs on my Debian box and noticed some differences.

Are you referring to the third time someone has mixed up it's and its or that particular comment?

You are not out of place. At first, I wasn't going to post anything about it (I did report it to the mods though), but since others are commenting on it, I am going to put on my grammar police pants and make a point.

I am a native English speaker. A good portion of us on here are not. I think if we are going to point out grammatical errors, it would be helpful to explain the error. English is challenging because of its inconsistencies. Consider English spelling and pronunciation. English has a phonetic alphabet-- sort of. If it were strictly phonetic the work known would be pronounced much differently than it is. In my case, I am aware of the difference between its and it's-- I simply made a mistake. In English, possession is generally shown by adding 's. A noun is made plural in most cases by adding an s. A plural possessive is generally created by adding an ' after the final s. Contractions are annotated with an '. Now we have the gems of its and it's. By following the general rules its would be plural its, it's would be ambiguous, since it could be the contraction it is or a single it possessing something. Following the rules, one would think its would be the plural of it.

If we were to start pointing out and correcting every Language error, this forum would no longer be about Linux, but about the English language. If you think I am exaggerating consider a sample of mistakes other than mine on this thread alone:

The first line is missing the subject and the first word isn't capitalized.
The second line has the same issues along with unneeded parentheses.

The first word isn't capitalized.

The word browser should be browsers or do should be does.

I see at least one mistake in cantab's post. Can anyone point it out? Are there more than one? Please don't answer. I think we all understood what cantab meant.

@tyler2016 I am clearly not a native English speaker, but it is annoying to see that it's basically been replaced altogether by "it's" and I do think it is worth pointing it out. Of course I needed to be slightly caustic, just to make a point. But you're basically rationalisation in your last post. While I agree with you that English (in contrast probably to any other European language) has almost no phonetic rules and the writing is almost random ("oo" - pronunced in three different ways), it's still just rationalising.
@frankbell If pointing this out makes me a police officer, I'm happy to bear the authority!

Why was being caustic necessary to make your point? Slightly is an understatement. Your comment implied those who incorrectly use it's and its are illiterate.

How am I rationalizing it when I admitted to the mistake? The point was, it is easy for even a native English writer who knows the difference to make common mistakes. There are lot of mistakes by several people in this thread. Thus, if we start pointing out every mistake, the forum would no longer be a Linux technical forum.

If we are to point out language mistakes, I don't think being slightly caustic, as you put it, is the best approach. A caustic approach creates an incentive to avoid the community.

Never mind, I didn't mean it to sound that aggressive after all. I'm happy that you're interested in the language. I think language mistakes fall into very different categories. It's one thing to express something (as a foreign speaker, for instance) in a non-idiomatic way, and quite a different thing to perpetuate a grammar mistake that you'd normally start avoiding after finishing elementary school (no offence meant, I understand your language skills are much better than that, that's not the point). I guess as a native speaker you'd expect to have a kind of implied responsibility, I don't know... But as long as I was able to draw attention to it, then that's just fine

I also wanted to add something to the actual thread, because I'm also interested in it, but the others seems to have said more or less everything there was to say. I suppose a long-term public certificate (non-letsencrypt) would be a viable solution, that's what we're currently using, but I wouldn't see any real difference as far as security is concerned in using self-signed certificates.
Using a public certificate would mean that you don't have to install anything on anyone's computer, so I'd find that more practical in a way, but it also depends on the complexity of the setup.

vincix:
It’s not illiteracy, or even a grammatical error. It’s only a spelling error.
And just to clarify the rule, the only time there should be an apostrophe is when the use is as a contraction for “it is”

And, pointing out such in a technical forum is both inappropriate, because it’s off-topic, and rude. Please don’t do it again.
Thank you.

Well, no, it's definitely not only a spelling error. It's not a typo, it's not about writing in a hurry. With that I think we must all agree. It's a systematic substitution.

While I agree that pointing this out in a technical forum might be inappropiate, but the idea itself that pointing out a grammar mistake is rude can't be correct. I agree that the way I did it is rude, but as a general rule it doesn't work. If people were to correct my mistakes (of whatever kind they may be) I would be happy, really. Of course, not in the rude manner in which I do, but in any case...

I would think it's just how you setup the hierarchy. But just to throw stuff out there there's a program called SSLsplit which for connections that are redirected to it, it can generate and sign X509v3 certificates on-the-fly for them (or it can use existing certificates of which the private key is available), and then initiate an SSL/TLS connection to the original destination address the client was requesting, while logging all data transmitted. It does this via NAT, but besides NAT SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination. SSLsplit is purely a transparent proxy and cannot act as a HTTP or SOCKS proxy configured in a browser.

1 members found this post helpful.

I have run into problems with SNI. I have had to stick HAProxy between a vendor's API that required SNI and a local application because the local application's TLS library couldn't handle the SNI extension.