Best Certs to use for internal https

Question

I'm helping out a large church with some IT stuff they have lots of internal secure connections, like to the security cameras, or to the UniFi AP controller that want to use https. Of course each of those get an unsafe/not private warning message.

There is no way they are going to pay for certs for these devises. So my only thought was to self sign... what should I do and whats the best practice. If I sign my own, should I do that from the domain controller? Does it really matter?

How would I set those to be trusted? Can I use group policy (0 experience doing so) to install those?

Is the actual ssl effected in anyway by the cert, or lack there of.

Edit: Most of these devices will not be accessed externally. If they are it would be by VPN. My question is for internal devices, that will not be internet accessible.

Thanks

Are these devices accessed externally? – joeqwerty Jun 23 '15 at 18:31 — joeqwerty, Jun 23 '15 at 18:31
added an edit. Internal devices – wlraider70 Jun 23 '15 at 18:34 — wlraider70, Jun 23 '15 at 18:34

Crypt32 · Accepted Answer · 2015-06-23T19:03:37.387

In this case I would recommend to install an Active Directory Certificate Services (Enterprise Root CA role), and use default WebServer certificate template to issue SSL certificate to your SSL/HTTPS servers. ADCS automatically publishes its certificate to Active Directory, so it is trusted by any member of Active Directory forest after next group policy update. This include CryptoAPI clients, Internet Explorer and many 3rd party clients (except FireFox and Opera browsers, where you will have to configure certificate trust manually or via ADM templates for FireFox). More details:

Install a Root Certification Authority

Web server certificate enrollment with SAN extension

Best Certs to use for internal https

1 Answers1