Hey everyone! I'm working on setting up some CI/CD tools at my company, specifically a Docker registry. I'd like to avoid some hassle with SSL certificates, so I've asked the sysadmins for access to a DNS server. However, they're only providing me with DNS servers that work with a "*.domain.local" format. This is problematic for me because I'd ideally need a signed certificate that can work with any VM without additional configuration. To do this, I'd have to create my own Certificate Authority (CA) to get a certificate for something like my registry.company.local. The downside is that I'd have to install this CA on each machine, and some programs like Oracle Java or Python requests prefer their own certificate authorities.
To solve this, I thought about getting a wildcard SSL certificate for a subdomain like *.intra.company.com from a recognized CA, which wouldn't be available on the public internet but would be accessible via our local DNS servers. However, the support team is hesitant to help me with this, stating concerns without a clear explanation. I'm trying to figure out if this approach is truly problematic or if there's a better way to handle my situation?
4 Answers
If the service is just for internal use, consider getting a certificate from your organization's CA instead. I understand where the sysadmins are coming from—they’re usually cautious about issuing wildcard certificates since it's generally seen as bad practice, especially for security reasons.
If you own a public domain like company.com, you can still get a certificate for an internal server that isn't out there on the net. Just route your DNS to that internal server, and it’ll still be valid. I work in a multi-agency setup, and this is how we manage our certs—valid public SSL certs that point to internal IPs.
That’s a solid plan! Seems like managing a private CA might be the best route for me, especially since I’m already setting that up. Your insights really help clear things up! I’ll just need to train the team on how to trust the CA for things like Java and Python.
Are the sysadmins clear on what your project is all about? If you’re dealing with crucial apps, it might be worth considering setting up a dedicated subdomain with an intermediate CA. Especially if this is for dev purposes, having separate cert servers could help avoid security headaches down the line.
Don't overcomplicate things! Just set up your service to work via IP with SSL for now, and let the sysadmins know you need a hostname and certificate. While you're waiting, if non-SSL traffic is out, you can temporarily use a self-signed certificate and modify the hosts file to get your service up and running.
That’s exactly what I'm leaning towards. Thanks for the confirmation! I might just end up setting up the CA myself to streamline things.
Yeah, I get that wildcards can be risky! The real challenge is avoiding the need to install that CA everywhere due to some apps having their own cert repositories. If I can just have a single reliable certificate for something like registry.intra.company.com, it might save a lot of hassle.