Hello everyone,

A bit of background on how things are configured: I have many local services and am in the process of setting up two local domains, namely local1.publick.com and local2.publick.com. I own the domain name publick.com and manage it through Cloudflare.

Local1 is for the Windows domain and is using Active Directory, while local2 is for the Linux domain and is using RHEL IDM.

Now, as I am also exploring Single Sign-On (SSO) with Keycloak and a few other things, I would like to properly set up SSL for all these subdomains. Can I configure two local certificate authorities? One for local1.public.com and another for local2.publick.com? I would then use these to create certificates for service.local1.publick.com and service.local2.publick.com. Since the AD domain controller and RHEL IDM controller are authoritative for these two domains, can I still integrate two CAs with this setup?

  • Lem453@lemmy.caEnglish
    3·
    2 years ago

    Do you want to create your own certs? You can use let’s encrypt certs on internal only local subdomains using DNS challenge.

    https://youtu.be/liV3c9m_OX8

    I do this with traefik and authentik and use SSO for both internal and external domains.

  • RedFox@infosec.pubEnglish
    1·
    2 years ago

    One of the keys to selecting the solution from the provided answers is if you need this to be publicly trusted.

    I use an internal openssl ca root, created intermediate ca for each active directory domain or Forest. Also, I wanted to create internal PKI smart cards with yubikeys and his c1150 cards. For you know, fun.

    I didn’t care that other hosts don’t trust my stuff because all my hosts are configured with root ca, and I only use VPN for access.

    You want external trust, must do some of the other suggestions. Setting up internal CA is a chore with understanding AIA, CDP points, line of sight to PKI urls for renovation checking, more…

  • Decronym@lemmy.decronym.xyzBEnglish
    11·
    2 years ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CA (SSL) Certificate Authority
    DNS Domain Name Service/System
    SSL Secure Sockets Layer, for transparent encryption
    SSO Single Sign-On
    VPN Virtual Private Network

    5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

    [Thread #447 for this sub, first seen 23rd Jan 2024, 10:05] [FAQ] [Full list] [Contact] [Source code]

  • solrize@lemmy.worldEnglish
    0·
    2 years ago

    If you want a local CA for just a few low assurance certificates (say for a test stack), the CA.pl script in the openssl distro is simple and sort of usable. If you want to be more serious you sort of have to know what you are doing. If you just want people’s browsers to accept your subdomains, use a wildcard certificate (*.whatever.com). LetsEncrypt issues those and Cloudflare also might.