Need some advice pointers on setting internal certificates.
Posted by javajo91@reddit | sysadmin | View on Reddit | 15 comments
Hey guys. Small Windows wired Ethernet network. 25 users. VSphere environment.
We have a handful of Windows servers that host internal admin related sites. Plus ESXi boxes for vSphere.
I’d like to get rid of the vulnerability of using self signed certs internally.
Should I use Let’s Encrypt and call it a day?
Adding onto this question. We are also looking to implement 802.1x for our wired LAN. (I know this is overkill given our size but it’s an audit issue and it would wipe this discussion away)
Given this future project, should I simply deploy AD CS?
We do not use Intune as we are a small shop.
TLDR: I’d like to have my browsers trust our internal web servers and I’d like to implement a small 802.1x infrastructure.
Thank you.
MooseWizard@reddit
Set up MS CA, push your root and sub-ca certs with group policy and call it a day.
Let's Encrypt certs are valid for 90 days (45 days by 2028) so unless you can automate everything that would use a cert, that's a path to heartache.
javajo91@reddit (OP)
Thank you again. I’m just getting around to planning this out so my apologies for the gap in response! What options should be selected to be able to issue self signed certs and also down the rode to be able to implement 802.1x?
javajo91@reddit (OP)
Good to know. Thank u
Granntttt@reddit
You don't need to push the certs with group policy. They should get automatically added to the AD CS containers, which pushes them for you.
javajo91@reddit (OP)
Good to know. Thank you.
Wise-Butterfly-6546@reddit
For your size, AD CS is the right call. Here's why:
Let's Encrypt is great for public-facing services, but it won't help you with internal trust. Your browsers need to trust your internal web servers, and Let's Encrypt certs require public DNS validation. For internal-only hostnames (like server.local or admin.internal.yourdomain.com), Let's Encrypt won't issue certs at all. You'd have to expose internal hostnames publicly which defeats the purpose.
AD CS with a two-tier PKI (offline root CA + online issuing CA) is the gold standard, but honestly for 25 users that's overkill. A single-tier AD CS deployment on one of your existing DCs will work fine. Here's the approach:
Install the AD CS role on a Windows Server (not your primary DC if possible, but at 25 users it's not the end of the world). Configure it as an Enterprise Root CA.
Since your machines are domain-joined, the root CA cert will automatically distribute to all domain computers via Group Policy. No manual cert installs on each machine. Browsers (Edge, Chrome) will automatically trust anything issued by your CA. Firefox is the exception - it uses its own cert store, but you can push a GPO to make it use the Windows store.
Set up auto-enrollment templates for your web servers. This means certs renew themselves. No more expired cert emergencies.
For 802.1x - yes, you absolutely need AD CS for this. 802.1x with EAP-TLS requires machine certificates, and AD CS with auto-enrollment is by far the cleanest way to handle this. You'll also need a RADIUS server (NPS role on Windows Server works fine for your size). Your switches will need to support 802.1x as well.
The order I'd do this: AD CS first, get your web server certs sorted, then tackle 802.1x as phase two. Don't try to do both at once.
javajo91@reddit (OP)
Perfect. Thank you so much for that explanation! Much appreciated. Given our size, I’d like to keep things as simple as possible with not a tremendous amount of upkeep. This sounds like the way to go to tackle both my needs. Thank u again.
Man-e-questions@reddit
Preferably on a member server that is locked down tighter than a DC (never really best practice to put other roles on a DC)
javajo91@reddit (OP)
Cool. Thank you. Any “Gotchas” I should be aware of when adding this role and getting it to work? I’ve never had the opportunity to do this before given my small shop background.
Granntttt@reddit
Make sure you give it a good name when you set it up. You can freely change "CN=" to anything you like, add an organisation (O), etc.
javajo91@reddit (OP)
Noted. Thank you.
HumbleSpend8716@reddit
This is an AI SLOP ANSWER
joeykins82@reddit
It may be AI, but on this occasion it's correct.
_bx2_@reddit
Thank you for your reply. I struggle with certs so this was some good information for me as well.
anonymousITCoward@reddit
Setup your own CA?