I'm new to handling certificates and need some advice. I have an Active Directory domain called corp.company.com, which hosts all our systems. We also manage an external DNS zone for company.com and have set up a DNS zone for internal.company.com to simplify troubleshooting and connection to internal websites. Currently, we have a wildcard certificate from GoDaddy for *.company.com, but that hasn't worked for my testing. I'm looking for the best way to manage certificates for this internal setup—should I consider purchasing another certificate, or is there a better method? I've already attempted to create a CSR with Windows CA but ran into some issues.
5 Answers
Instead of creating a new zone, why not use corp.internal.com for your internal sites? Also, if your clients trust your Active Directory Certificate Services (ADCS) root cert, you could issue certificates through your Windows CA without any issues. Just remember, it's best not to use wildcards on internal resources as they can pose a risk if one machine is compromised.
A wildcard cert isn’t recursive, meaning it won’t cover internal subdomains like server1.internal.company.com. You’d need a *.internal.company.com or individual certificates for each system, which can be tedious but is a safer approach.
If you're considering running your own certificate authority, step-ca is a good option. With Windows, deploying the root certificate via GPO or Intune can streamline things, ensuring all clients trust it.
Another option is to create a wildcard cert for *.internal.company.com for your internal services. You might also want to remove the company.com zone from your internal DNS to prevent conflicts.
Have you thought about using Let's Encrypt? They allow you to issue an internal wildcard certificate using DNS validation, which can make things easier for your internal domains.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures