2

My company use .local for intranet web services. I recently installed a GitHub Enterprise server thus available on github.mycompany.local. Unfortunately it seems impossible to create a signed certificate on such extensions.

I would like to find a solution where I can use a trusty certificate accepted by both my web browser and my local Git without having to put my server into the DMZ.

What are the options?

Let's explain this with different words. A company would like to have intranet web services, but those services have to be secured with TLS/SSL. As they can't have a connection to the real world, they can't use any "standard signed certificate". How can they do this without giving up and chose between:

  1. Let's educate our employees to accept self-signed certificate each time they want to accept our web-services...
  2. Let's simply use HTTP. The login passwords will be exchanged in clear, but nobody will try to hack the company from the inside...
Improve this question
4
  • You may want to look at this - - datacenteroverlords.com/2012/03/01/…
    – Anaksunaman
    Commented Oct 7, 2017 at 7:33
  • 1
    Another option is to set up your own CA server, generate your certs, and push down browser configuration trusting your CA.
    – Frank Thomas
    Commented Oct 7, 2017 at 7:35
  • @FrankThomas Is this something common? I know a company that put a middle man between the intranet and the internet because they want to know what employees do for "security" reasons.
    – nowox
    Commented Oct 7, 2017 at 7:37
  • well, that's generally a certificate substitution technique, where they intercept your https connection initiation, and insert themselves in the middle, decrypting web traffic, and then reencrypting it before delivering it to the client. In my suggestion, you would have a completely legit CA, but no software will trust it unless told to do so.
    – Frank Thomas
    Commented Oct 7, 2017 at 7:48

1 Answer 1

Reset to default
2

I would put money on the table and say that it's simply impossible to get a certificate from a reputable CA for a .local domain, for much the same reason that you won't be able to get a certificate for localhost.

In order to issue certificates for such a domain you could setup your own CA and add them to the trusted CA for your corporate computers. It depends on the operating system what's involved to get this going. You might also be able to import the self signed CA into your local certificate store to get rid of the warning.

A rough guideline would be:

  • Setup a machine to be the CA
  • Create a root cert
  • Add the cert to your companies computers as a CA cert so certs issues by your CA will be trusted
  • Start issuing certs or setup a more intricate system using an intermediate CA
Improve this answer
6
  • Do you know how to do this with Git on the command line? My problem with SSL is that my Git refuses to connect to my GitHub appliance because the certificat is not safe enough.
    – nowox
    Commented Oct 7, 2017 at 7:38
  • You would configure the operating system itself, if I had some more details about the machine running the git command and how you generated your certificate I could point you to a better resource.
    – Rob M
    Commented Oct 7, 2017 at 7:40
  • Let us continue this discussion in chat.
    – Rob M
    Commented Oct 7, 2017 at 7:41
  • have you tried the .gitconfig settings described here? stackoverflow.com/questions/13957294/…
    – Frank Thomas
    Commented Oct 7, 2017 at 7:49
  • @RobbieMckennie You said "Start issuing certs or setup a more intricate system using an intermediate CA". I don't know anything about this, but I am assuming it is possible to have a signed public instance such as ca.mycompany.com that provides intermediate root certificates for *.mycompany.local. In this case I might not be required to install the root-ca on all the company computers. Is that correct?
    – nowox
    Commented Oct 10, 2017 at 8:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .