I've got a bunch of internal administrative sites (think vSphere, Nutanix, IIS, SQL, etc.) that currently use self-signed certificates. Our access is restricted by ACLs and firewalls, but as browser security tightens up, it's become harder to get these sites running unless they have a valid certificate. I was initially hoping to find a way to get Edge to accept self-signed or expired certificates, but I've come to realize that's probably not going to happen.
After reading some thoughtful suggestions here, I'm now more interested in doing this the right way. With certificates needing to be renewed frequently (every 90 days coming up), I'm considering automating the renewal process.
Can anyone share how to get started with auto-renewals? Does IIS support this for third-party CAs like Comodo or Sectigo? What about Tomcat and third-party applications that have integrated certificates? Also, any tips on what I should be researching? Are there better CAs that offer auto-renewal features?
5 Answers
I’ve been working on automating certificate renewals for various devices and services, and most ACME platforms have built-in support for deployment. While some appliances are starting to support ACME for management interfaces, it’s still limited. Internal setups usually need DNS challenges. I've had a lot of fun figuring out the APIs and workflows for deployment; it’s definitely a learning experience, even if Cloudflare’s API has been a bit tricky.
There are a few solid strategies for managing SSL certificates. First off, you can automate the process using ACME and Let's Encrypt wherever possible. The exact method depends on the service you’re working with; it can get tricky, especially with Java keystores.
Another approach is to set up your private x.509 Certificate Authority (CA). This way, you control your certificates without worrying about external CA policies. Lastly, consider using reverse proxies to simplify the SSL management process. They can make automation much more manageable. Personally, I lean towards running my own private CA; it gives me better control and reliability over the certificates I need.
About your comment on bypassing certs, I have to say, I usually go with Firefox for self-signed certs because it remembers your exceptions better than Chrome and Edge do. You'd think they could at least allow a temporary bypass in private browsing sessions!
If you have the infrastructure, I suggest setting up an internal Windows CA for your internal services. With this, you can manage your own certificate lifecycle, including expirations and renewals. Tools built into IIS and other Microsoft products can often handle auto-renewals efficiently.
Just a heads up, the renewal period is actually being reduced to 47 days in a couple of years, not 90. To streamline renewals, ACME is definitely the way to go, especially for internal systems where you’ll need to set up DNS-01 validation. For IIS, check out win-acme; it’s user-friendly. For Tomcat, integrating it can be tough, but some scripts exist for that. Or, alternatively, I recommend running Tomcat behind an NGINX server to handle SSL.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures