Since we’re setting up our local network with a domain, I’d like to properly secure our connections to Remote Desktop sessions. One might argue that using self-signed certificated is valid in the context of the local network, but I don’t like the idea of collecting self-signed certificates in my keychain, plus it would also stop people from the company to dismiss security warnings about certificates.
I did some googling about this, but many informations are outdated or not specific to this issue. The main assumption is that I’d like to automate the whole process of renewal. The second assumption is that a DNS challenge becomes the necessary way of obtaining the certificate, since servers/workstations are not accessible directly from outside our network via public-facing DNS.
In our case, our domain and public DNS are hosted on OVH, which as far as I can tell has an API to manage the DNS zone programmatically. Many other DNS providers offer APIs to make such changes. Can you confirm that this would allow me to pass the DNS challenge, if properly configured?
The next step would be the setup of Remote Desktop services to use the certificate. The way to configure it and reloading it is outside the scope of this community site (even though if you found a killer guide/blogpost, I would be very grateful!), but I would like to know if a certificate from Let’s Encrypt is compatible with such a use case. Maybe it just need extra processing/packaging in a different format?
In summary, has anyone tried to automate this use case? Any tips?