We have an internal development network that we use a domain format like machine-01.int.enterprise.com. None of these servers are exposed to the internet. We have our own local CA on that network, but we can't necessarily control all of the client machines to give them our cert, this means that clients that use the apps/websites on these servers they all get prompted with the "accept the cert" error because...obviously its not signed by a known CA.
On this internal network we have NO control over enterprise.com domain as that's managed by our enterprise IT and don't want to give us any certs or anything as this is a separate network.
I was told that I could register basically any domain and use DNS-01(?) to validate a cert and provide it to my servers and then they would be correctly signed?
So how would this work? Would this work? So for example:
- I have machineA.int.enterprise.com that people navigate to
- I register int-enterprise.com from Google and I use DNS-01 (?) to validate a cert for machineA.int.int-enterprise.com
- I give machineA.int.enterprise.com, the machineA.int.int-enterprise.com cert to nginx
- Then when people visit machineA.int.enterprise.com there is a redirect to machineA.int.int-enterprise.com?
OR - Could I do something like machineA-validcert.int.enterprise.com with the valid cert and then when people go to that new URL the valid cert would work?
The only main requirements I would have is that users don't use the new int.int-enterprise.com domain and to continue to use the regular domain.
Any suggestions on handling this?