Community
cancel
Showing results for 
Search instead for 
Did you mean: 
RFuen1
Beginner
389 Views

Certs for internal server

I’m setting up a new IntelUnite server version 4 on Server 2019. The server will be used internally only (unite.ccc.local).  One of the server requirements is to obtain a SHA-2 certificate. I have 3 options:

 

1)     Self-signed Cert

2)     Purchase 3rd Party Certificate

3)     Internally created certificate (internal CA)

 

Since this server can only be accessed on the local network only (not domain.com), I think #2 is not an option. I went with #1 and set up a self-signed cert. This works fine for Windows clients as long as I manually install the cert. The problem is that chromebooks don’t support self-signed certs. Do you have any suggestions to get #2 or #3 working? I have zero experience with certs, so any advice or direction is appreciated.

0 Kudos
3 Replies
Wanner_G_Intel
Moderator
80 Views

Hello RFuen1,

 

Thank you for posting on this Intel Community.

 

According to the Intel Unite® 4 Deployment Guide 4.4.1 Obtaining a certificate (Pag 27), you can obtain a certificate in the following ways:

 

1. From a public root of trust certificate authority

2. Create a self-signed Web Server Certificate.

 

For this reason, we cannot confirm if an internally created certificate is going to work on your setup.

 

Now, we did some research to find some information about using self-signed certificates on Chrome* OS, but we recommend you to contact the Developers or your Original Equipment Manufacturer (OEM) to confirm whether it is an option to use self-signed certificates on this environment.

 

Wanner G.

Intel Customer Support Technician

A Contingent Worker at Intel

Wanner_G_Intel
Moderator
80 Views

Hello RFuen1,

 

As soon as we have more information about obtaining a certificate for your environment, we will update this thread.

 

Wanner G.

Intel Customer Support Technician

A Contingent Worker at Intel

ZSott
Beginner
80 Views

You can use #2 too. If you have only server in local zone, certificate is validating against CRL (list of revoked certificate) that has own expiration. Everything you can see in details of certificate.

  1. Create folder on server drive, where will be the CRL you downloaded from machine that has internet connection Download CRL is just copy/paste of CDP that is in certificate.
  2. Create web site with IIS on your Intel Unite server, that will host the crl and point to the folder where is downloaded .crl. Then the adress will be "localhost" - 127.0.0.1:80
  3. edit the "host", that instead of website of CA is directed to the localhost. C:\Windows\System32\drivers\etc\host For example - 127.0.0.1 digicert.com/nameofcrl.crl
  4. Verify that cert is validated by using of cmd and "certutil".

 

  1. Go to the http://127.0.0.1/[name_of_crl].crl. If will start downloading file, it's a good sign.
    1. CDM -> certutil -url http://adress of CDP (CRL Distribution points) that is written in the details of certificate. URL retrieval tool will pop-up
    2. Select your exported certificate
    3. CRLs (from CDP) -> Retrieve

 

 

If certificate is verified, you have all done. One bad thing is, that you have to download new crl every 2-3 days because of expiration of CRL - also in details in .crl file. But I think that this can be scripted.

If your HUBs and clients can communicate to the internet or have access to the site to download crl. it wil work.

 

#3 - Internal CA

This is way better, because you can edit the CDP of certificate to look to the local system, not to the internet. But I don't have experience with this...

Maybe this can help: https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/How-to-Publish-the-CRL-on-a-Sep...

 

I hope that something helped. :)

Reply