SSL for local domain

Hi There,

I just recently started working with Epicor, again, after a 5 year hiatus.
So many things have changed for the better. Like REST… Amazing!

This group has been incredibly useful in helping me get my bearings back. So thank you.

I have a question regarding the need to get a SSL cert for a mydomain.local. I managed to query through the REST API using Postman and Excel just fine with a self-signed certificate.

But, do we need, should we or would it be advisable to get a certificate from a cert authority even though we have a local install which is completely limited to our intranet? I know some cert authoritites provide certificates for .local. Or should we just get a regular wildcart cert?

Most of the posts I found here involve more complicated environments: AZURE, SSO and so forth. We have none of that.
Local install with no SSO.

Thank you,

Sebastien.-

Most of our customers are either

a. using a wildcard cert from a CA (which has some caveats for getting set up since you can’t actually get an internal cert from a CA easily that is trusted in browsers out of the box)

b. using their own self signed certificate for their non-public facing domain (.local or whatever) then dealing with distributing that certifcate (or ideally the signing certificate) to all their clients.

It’s a bit tricky and something we’ve discussed a lot - how to make the process of https certificate setup easier when you’re not in our SaaS where it’s simple. There are a bunch of variants of option B such as deploying your own internal certificate authority, using that to generate your certs or just using group policy to distribute trust for a main cert with which you’re signing all your other internal https certs, etc

2 Likes

The one thing that I’ve found isn’t quite clear though is yes we really do need you have a green certificate for a lot of our newer web applications to function properly.

We’re super open to any ideas you all have about making this process less painful btw.

@bconner
I have used Let’s Encrypt successfully there are even IIS modules and scripts you can use. Requires the server to have access to the internet (briefly during the handshake) but that can be scripted too.
It does require a valid domain (TLD) which is less than idea for .local type of environments but it works nicely.
We just created a subdomain epicor.tld.com and got a propper let’s encrypt SSL for it automatically every 3 months for free.

Option b using a self-signed cert pushed by GPO seems to be the best solution in the short term.

Thank you.

2 Likes

I used to think there was no reason to do https locally but we live in a different world. In today’s world, it’s best to assume that our networks will be/are compromised. We’re passing login credentials via REST and that coul be easily sniffed without using TLS encryption.

If you ever want to use Progressive Web Apps some day, it requires a https connection since the technology is essentially a man-in-the-middle service and you want to ensure that you’re only connecting to the site with the certificate that matches the target.

Mark W.

Definitely in agreement Mark. Self-signed in the short term just to figure out the mechanics of deploying. But for the long-term get the certs from an authority.

Sebastien.-

1 Like

We like Let’s Encrypt a lot and even discussed shipping an ACME client a few times once the wildcard support finally made it in, but since it only works if you have a public domain plus public access to a machine during the renewal we decided we’re starting to step too far into your network administration which we really ought not.

Yep this is I think one of the simpler paths. The one other caveat I like to remind people of is check out what web browsers do with the cert you create and make sure they will trust it. Chrome (being the most aggressive example) has been gradually lighting up certs as untrusted if they’re not up to spec. Recent example being if your cert doesn’t have a Subject Alternative Name chrome won’t trust it anymore. That’s another good reason to use a public CA if you can.

Mark is correct here. We’re bringing out a lot of web applications (including PWAs) that will make this more and more important. Governments will continue to bring out more security legislation regarding data storage, transport, etc. Eventually it’s likely we will be https only for everything so good to get over the hump with it now.

3 Likes