I am a retired network admin, I understand SQL and AD fairly well, but have never had to do anything with certs beyond following the bouncing ball and installing a basic certificate on a rather simple website.
Now I am helping a client/friend with PCI compliance. They have a pretty simple setup with a 2012R2 server running SQL2008R2. SQL does not face the Internet, and there is not a web service running on the server although IIS is installed. The firm does have a website hosted externally, which has a valid cert–so it is fine. I expected this to be simple and straightforward. Foolish me.
They got pinged on a couple of things which are easy enough, but these three item have me perplexed.
- SSL Certificate Chain Not Trusted (External Scan)
- SSL Certificate Common Name Does Not Validate (External Scan)
- SSL Certificate is Not Trusted (External Scan)
I was told by a friend I generally trust to set up a simple web page using the server’s local name, install certbot, get a cert, and configure SQL and the workstations to use it.
My question is, how do I do that? I can do the web site, but I am not sure that is strictly necessary. Can’t I just get a cert for the server? I am not sure I should post the FQDN at this point, but say it is myserver.mydoman.local. The hosted site is www.meadorjohnsonlaw.com, but again, that is external and already secured. So I would add an A record to the DNS for myserver.meadorjohnsonlaw.com and then get the cert for that? It wouldn’t resolve internally, but I can add it to the internal DNS or put it in a host file.
Basically I am asking how to get a trusted cert for an internal local server.