Should I use a public CA cert instead of self-signed for SSLVPN?
lostbackups Newbie ✭
in SSL VPN
I'm trying to set up SSLVPN access which I have in the past and always just used the self-signed cert. However, if I am deploying this for production use with remote users connecting to SSLVPN and using remote desktop, should I be using a publicly trusted cert instead? I'm just trying to understand the use case
Category: SSL VPN
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Lets say I wanted to use a public domain name instead of an IP address to connect with NetExtender. Would the cert need to be for that domain name?
@lostbackups to avoid any "Common Name Mismatch Error" the CN (or SAN) has to match the Name with which you try to establish the SSL/TLS Connection. If you try to access via https://sslvpn.mydomain.de then the Cert has to be issued for sslvpn.mydomain.de.
A self signed cert is IMHO a bad idea because you train your endusers to accept any Cert which is given to them. If you run your own CA and deploy the Root-Cert would be a better approach to avoid commercial certs.
Thanks for the response and that makes sense. However, in my situation, I'd be using Sonicwall NetExtender to connect to an IP address over port 4433 and then the user would RDP into their on-prem workstation. We wouldn't be using the web browser.
I was also contemplating registering a domain name for that IP (or maybe just edit the host file) so that the user could type a name instead of IP. I was thinking that's where a properly configured cert might come into play.
@lostbackups same goes for NetExtender/MobileConnect, it'll complain about the cert if Server-Name does not match the CN.
If you're running your own CA you can go crazy and issue a SAN certificate with multiple names, which can include IP address or multiple names in a single cert, then it does not matter if your users using the IP or name. This is not possible with commercial certs.
Got it, thanks. We do have a CA server so I guess I can try using that. Other than the self-signed cert pop-up, are there any other security concerns there?
Security/Encryption-wise there is no difference between a commercial and self-signed cert, just that you condition your endusers to trust any cert that'll come as invalid. It's hard enough already that users click "continue" and "yes" to everything 😁
Hey BWC, let me also ask you... with SSLVPN, "Tunnel All Mode" would be the most secure right? The alternative exposes some corporate network info to the user's home network doesn't it?