Advice Needed for Setting Up Internal Certificates and 802.1x

By
William Rossbach
-
0
1
Asked By TechSavvyG33k On

I'm managing a small wired Ethernet network with about 25 users, and we're running a VSphere environment. We have several Windows servers that host internal admin sites, along with ESXi boxes for vSphere. I'm looking to eliminate the security risks associated with using self-signed certificates internally. Would using Let's Encrypt be a viable solution, or is there a better option? Furthermore, we plan to implement 802.1x for our wired LAN, primarily due to audit requirements, even though it may seem excessive for our size. Should I just go ahead and deploy Active Directory Certificate Services (AD CS) for this setup? We're not utilizing Intune since we're a small operation. Essentially, I want our browsers to trust our internal web servers and establish a basic 802.1x infrastructure. Thanks in advance!

2 Answers

Answered By NetworkGuru101 On

You could definitely set up your own CA to handle certificates internally. AD CS is capable of pushing root and sub-CA certs using group policy, making it pretty straightforward. Keep in mind, Let's Encrypt has certs that expire in 90 days (and going down to 45 by 2028), which means if you can't automate your certificate usage, you could run into some headaches down the road.

Answered By SecurityNinja22 On

For a small setup like yours, using AD CS is really the way to go. Let's Encrypt is great for public sites, but it can't help you with internal trust since it needs public DNS validation, which wouldn't work for your internal hostnames. You don’t want to expose your server names to the public just to get a certificate. Setting up AD CS with a single-tier structure on one of your existing Domain Controllers is quite manageable and will allow browsers on domain-joined machines to automatically trust the certificates issued by your CA. Plus, it keeps things simple since you can use group policy to push it out. Also, for implementing 802.1x, you definitely need AD CS; it's the cleanest way to handle required machine certificates. Start with AD CS, sort out your web server certs, and then tackle 802.1x afterward.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.