I'm trying to secure an internal appliance that doesn't allow me to change its SSL certificate. I've already attempted to add the certificate in Chrome's approved list and also installed it in Windows' Trusted Root Certification Authorities via GPOs, but Chrome still marks it as invalid. Is there a way to ensure this connection is secure and encrypted, even though the Common Name (CN) and Subject Alternative Name (SAN) don't match the appliance's name?
3 Answers
You might want to set up a reverse proxy or a load balancer. Create a DNS record for a domain you control and install a proper certificate there. You can also add the appliance's certificate to the proxy if you want to verify the connection to the backend. Just remember to block direct access to the appliance through your firewall, except for the proxy. I personally use HAProxy for this, but NGINX or even some hardware firewalls should work too.
A faulty certificate can break the trust needed for secure connections. Although the connection will still be encrypted, you risk potential interception or alteration by malicious actors. Unfortunately, the only long-term solution is to replace the certificate; adding the root CA to your browser or OS won't help if the certificate is still deemed bad.
Have you considered changing the appliance's name to align with the CN or SAN? I believe you're referencing the appliance's hostname, right?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures