Our internal domain is a public suffix, example.com. We have application servers that can only use their own CSR (no access to the OS) and these add entries to the SAN that Let’s Encrypt finds invalid (hostname with no domain suffix for instance). So domain-validated, manually created certificates cant be made.
We are happy to install our own CA for our domain and issue certificates for these edge cases but it would perfect to have our internal CA become a sub-CA and so the certificate chain is publically trusted. Or am I misunderstanding something and wishing for the impossible?
we have certbots working flawlessly for IIS websites and want to use it more for other things (VPN connections, telephony etc) but are frustrated by the application vendors implementation of raising CSRs.