hi,
i have a domain name : jenkins-subdomain.com, which is never used outside the company and cannot be reached from the public Internet.
is it possible to generate certificate in my case please ?
Public Certificate Authorities only certify public names.
So while the name needs to be public, the server doesn't need to be. If there's an actual domain name, with public DNS, then one can use the DNS-01 Challenge of creating a TXT record to prove control of the name. This generally works best when it can be automated, either through it being a DNS provider that supports an API, or through something like acme-dns where there's a special-purpose DNS server for providing the TXT record which the normal DNS provider delegates the name to.
If it's actually an internal-only name, for internal-only clients, then you need to look at making your own private CA, rather than trying to use the public WebPKI.
9 Likes
Please see Certificates for localhost - Let's Encrypt
5 Likes
thanks for your answer,
then you need to look at making your own private CA, rather than trying to use the public WebPKI.
=> private CA do you have some suggestions please ?
1 Like
Please check this thread out Local Domain certs with Let's Encrypt CA - #9 by danb35
6 Likes
For small use cases of just a few machines, something like minica or (as mentioned above) step-ca may be what you want, where you make a CA, load the root certificate into the trust store on devices that will be using your internal systems, and issue your own certificates for your servers.
For something larger-scale, there are plenty of enterprise products for making your own CA, either from a server OS (Microsoft, Red Hat, etc.), the usual "cloud" players (Amazon, Google, etc.), as well as other paid-for public CAs that offer a private CA management service (DigiCert, Sectigo, etc.).
Either way, it's getting a bit beyond what Let's Encrypt does, which is focused on making it easy for public servers to get domain-validated certificates for use on the Internet. But hopefully those point you in the right direction. For some things, it's easier to just buy a public domain name even if it's not going to be used by anyone outside the organization and use the WebPKI, but many use cases are better served by making one's own private PKI.
8 Likes
I'm not sure how this thread just popped up for me.
If this is for https://www.jenkins.io/ the CI server, I strongly suggest you consider using the DNS-01 challenge to leverage the ISRG Public Roots and not a Private CA.
Configuring things to work with Jenkins, and vice versa, is not very fun. Being able to rely on the local Trust Store will greatly simplify things.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.