How to create certs for internal-use servers that use "real" domains


#1

I have an application server that’s running internally using Apache/Tomcat but is accessed via a “real” domain name (as opposed to a .lan or .local.) We’d like to use the HTTPs option and generate a “proper” SSL cert with LE, as currently, our only method of getting certificates is from an internal CA which obviously doesn’t recursively validate out and gives our operators a cert error. Our security guys are also not too happy about internally generated certs either.

We’d like to be able to generate certs for an internal server - .e.g. https://internalapp.realdomain.com - but don’t want to expose it in external DNS or the web server itself to the outside world which seems to be a prereq for validating our authority to use that domain. Just to make things harder, that domain also doesn’t send/receive email etc. so we can’t send from something like itguys@realdomein.com to prove it’s us.

Is there a way to be able to set up an Acme client (PowerShell pref. as the servers are Apache/Tomcat on Windows 2012 R2 and 2016) so we could script something to generate and keep certs updated for our two internal-only apps? Possibly validate ourselves a different way?

Thanks!


#2

Hi @Gamo

this isn’t possible. If you want to get a certificate from a public Certificate Authority, this CA must check that you are owner of this this domain name internalapp.realdomain.com.

But where is the problem? You can create a dns text entry

_acme-challenge.internalapp.realdomain.com

use dns-01 - validation, no A record is required. Then you can get a certificate.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.