Hey everyone, I'm having a tough time getting SSL to work with my internal domain that's set up in a private hosted zone. It's meant to be accessed strictly from a VPN, so I can't use public certificates. I know that a private CA could work, but it's too pricey for my needs. While I understand that technically, I can use a public domain name and create a subdomain for internal use, I need to ensure this is completely internal. I've thought about using ACM with an NLB to try and use Let's Encrypt, but that won't fit my 100% internal requirement. Before I go through the hassle of setting up my own internal CA for provisioning and distribution, does anyone have suggestions for an easier solution? I'd really appreciate any help! Cheers!
3 Answers
You could go for a self-signed certificate or even set up a private CA using OpenSSL to sign your certificate requests. But honestly, getting a public CA-signed certificate is usually a lot simpler. You wouldn’t have to expose your private DNS records—just prove domain ownership to the public CA. If you use an Application Load Balancer (ALB) in AWS, you might be able to get a certificate through ACM established by a public CA.
Just to clarify, you're looking for your private domain (like TroglodyteTechie.yeet) to have a certificate that a public CA would sign, which doesn't quite add up. A legitimate public CA can't verify your ownership of that private domain, so they'd never approve it. Creating your custom CA and signing your own certificates for the private domain is the way to go. As long as you distribute your private CA certificate to all users, you shouldn't face TLS errors, even if they're self-signed.
The most straightforward approach would be to set up your own root CA certificate and install it on every device that needs to access your internal domain. All SSL certificates for your private domains would then rely on that same root CA. If a device doesn’t have your root CA installed, it won't trust the domain and will throw up security warnings. That's an important thing to keep in mind!
Yeah, I think establishing your own CA is the only practical solution here. I've run into similar issues, especially while trying to access internal resources through iframes.
Absolutely, my goal isn't to have a public CA sign my CA. I just want to avoid TLS issues when accessing the domain over a secure connection. If it was just browsing, a self-signed certificate wouldn't be a problem. But with iframes in a native app, you can't bypass it. I considered just using a load balancer with a static IP instead, but it's not ideal.