A few years back, we switched our internal DNS naming from a .local domain to a subdomain of our corporate domain (internal.company.co.uk). Our main corporate website enforces HSTS for all its subdomains, which is necessary since we host certain resources on subdomains (like images.company.co.uk). However, this has created substantial difficulties for us internally. Many management interfaces for devices and applications are served over HTTPS with self-signed certificates, which are blocked due to HSTS policy. We're aware that we can bypass this on a case-by-case basis using 'thisisunsafe' or by utilizing certificates from our internal CA, but many of these device management portals do not support automated or dynamic certificate renewal. As a small team, manually tracking and renewing a large number of certificates is operationally challenging. We are now considering changing our approach again and would like to hear suggestions, as the usual advice seems to parallel what we're already doing with internal DNS.
5 Answers
HSTS is definitely a pain for internal management, as you noted. Keeping your internal systems separate from external ones could save a lot of hassle in the long run. Also, look into automating your certificate renewals more thoroughly; it'll make life easier.
You might want to consider putting devices with self-signed certificates behind a reverse proxy like HAProxy. That way, you can automate the certificate renewals through the proxy, which simplifies the management process.
You've made a good choice moving to a corporate domain. Forget self-signed certificates in this case; go with trusted CA certificates. They cost very little and will save you headaches. Plus, you should automate as much as possible to prevent manual tracking.
If you can't manage certificates properly right now, think about moving to a completely separate domain instead of just a subdomain. It might reduce HSTS headaches, but your users would need to be informed to trust both domains. Ideally, you should use trusted certificates for internal use, maybe look into automating with Let's Encrypt.
For external services you host, you can set your internal DNS to point to them correctly without needing certificates for internal management tasks. Just map your domains properly to resolve internally and externally. That way, you'll get the right certificates while keeping it manageable.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures