I'm working on transitioning to automated certificate management for our internal servers, moving away from our reliance on an external certificate authority. I currently use certbot and Let's Encrypt for external services, which is straightforward. However, internally, we've relied on manually generating CSRs and updating certificates in IIS, NPS, Apache, and others each year. While it's manageable, given the narrowing certificate lifetimes, I'm considering setting up an internal CA or using self-signed certificates, but I'm unsure where to start.
1) Is there a clear advantage to using an internal CA over self-signed certificates, or is it dependent on the server environment (we have a mix of Apache and IIS sites)?
2) Our users currently need to trust new NPS certificates each year for WiFi connections on their personal devices. Would using an internal CA or self-signed certificates help in maintaining trust without needing to re-accept frequently?
3) I've heard vCenter has specific requirements for certificates. Would switching to an internal CA or self-signed certificate impact anything?
Any advice or insights would be hugely appreciated!
1 Answer
I tried setting up my own private CA at home, and I won’t go back to self-signed certificates. Managing ROOT certificates is so much easier compared to dealing with self-signed ones all the time. With self-signed certs, users tend to just accept those untrusted prompts, which can expose them to risks. I have my certificates expire every 30 days and I automate the renewal process for several devices. It’s a hassle, but it’s secure!

If you're renewing weekly, would that mean users have to re-accept the new cert every week when they connect?