I have a client with an internal AD domain which is a valid Internet domain as well. It is strictly used for internal purposes, and there are no servers using this domain which are accessible outside of the corporate network, to the general public. The domain is simply the “.net” version of the “.com” domain, which is publicly exposed. Like so:
Currently, the client has their own CA server which issues certificates, but there are a few scenarios where this causes problems with software or workflows which can’t reach the CA server for validation (such as checking the CRL for a cert). To solve this problem, I’ve suggested using Let’s Encrypt since LE is already in the Trusted Root store, and we wouldn’t need any additional configuration for internal machines.
Will Let’s Encrypt work for this internal domain, on internal-only servers? We can easily modify the DNS host to provide a TXT record for validation.
What would happen if a web server is using LE, but the accessing machine is not able to hit the public Internet? We need to consider the scenario where machines are locked to only access the internal network. Will the LE certificate still work correctly without this access?
Are there any security issues that should be considered when taking this route? I assume that requests to LE’s CA server would show the internal URLs/FQDN being accessed, correct?
Would requesting a wildcard certificate for *.mygreatclient.net be the preferred route to take. We have dozens of web servers to secure. Would a wildcard certificate prevent FQDNs from being exposed during a request to the LE CA?
Thank you for your assistance. Apologies if these questions are a bit newbie-ish; this is my first deep dive into SSL and Let’s Encrypt!