@rugk: We should probably clarify the language on that page. It’s intended to list DNS provisioning as an example of what a CA “might” do. The current status is that we will launch with only the SimpleHTTP and DVSNI challenges, and most likely support DNS challenges later on.
@greggman: The problem you pose, of issuing meaningful certs for hosts on a local network, is a very hard one that is being thought about a lot, but no one has come up with a satisfactory solution. You are on the right path for one workaround, though. You can indeed set up hostnames like somesessionid.myapp.com and get certificates for them. There are a few tricky things, though:
-
A certificate for
myapp.comwon’t be valid forsomesessionid.myapp.com. You’ll need to get a certificate issued forsomesessionid.myapp.com. Also, in order to be secure, your app running on the local network should generate its own private key, and share the public key with your service to get it signed by a CA. -
In order to be signed by a CA,
somesessionid.myapp.comneeds to resolve to a server accessible on the public Internet. But in order to be used by the local network app,somesessionid.myapp.comneeds to resolve to a local address. You can probably work around this by makingsomesessionid.myapp.comtemporarily point to a public web server for enrollment, and then re-point it to the local address during use. Keep in mind that certs will need periodic renewal, so you will have to account for that somehow.