Hello everyone,

A bit of background on how things are configured: I have many local services and am in the process of setting up two local domains, namely local1.publick.com and local2.publick.com. I own the domain name publick.com and manage it through Cloudflare.

Local1 is for the Windows domain and is using Active Directory, while local2 is for the Linux domain and is using RHEL IDM.

Now, as I am also exploring Single Sign-On (SSO) with Keycloak and a few other things, I would like to properly set up SSL for all these subdomains. Can I configure two local certificate authorities? One for local1.public.com and another for local2.publick.com? I would then use these to create certificates for service.local1.publick.com and service.local2.publick.com. Since the AD domain controller and RHEL IDM controller are authoritative for these two domains, can I still integrate two CAs with this setup?

  • ShortFuse@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    10 months ago

    Years (decades) ago it wasn’t uncommon to create self-signed/local CAs for active directory, but it’s really uncommon today since everything is internet facing and we have things like Let’s Encrypt.

    It’s so old, the “What’s New” article from Microsoft references Windows Server 2012 which is around when I stopped working on Windows Server. I kinda remember it, and you needing to add the server’s cert to your trusted roots. (I don’t know about Linux, but the concept is the same, I’m sure. I never tried generating certificates, but know all the other client -side stuff. Basically you need a way to fulfill CSRs.)

    https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/

    What you’d want to do it in Windows is all there, and Microsoft made that pretty easy back then to integrate with all their platforms and services, but I’d caution, do you really want to implement 10+ year old tech?

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    10 months ago

    If you want a local CA for just a few low assurance certificates (say for a test stack), the CA.pl script in the openssl distro is simple and sort of usable. If you want to be more serious you sort of have to know what you are doing. If you just want people’s browsers to accept your subdomains, use a wildcard certificate (*.whatever.com). LetsEncrypt issues those and Cloudflare also might.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        You can also use certbot on the subdomain servers if they are on the Internet, to auto-renew individual subdomain certificates. To run a “real” CA you need a lot of opsec and infrastructure regardless of what software you use. For basic dev-level purposes, CA.pl works and has been around forever, though I’m sure there is better stuff out there.

        Re perl, see also: https://xkcd.com/224/ :)

        • TCB13@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          10 months ago

          You can also use certbot on the subdomain servers if they are on the Internet, to auto-renew individual subdomain certificates. To run a “real” CA you need a lot of opsec and infrastructure regardless of what software you use

          Yes, I agree with you and I always tell everyone to stay away from creating a CA. - it’s just not worth it the workload and the risks. Either way certbot can be even used without exposing local servers to the internet with DNS challenges and other means of authentication. The wildcard has the advantage of not having to publish those subdomains publicly in some for (DNS) or another (crt.sh).

          For basic dev-level purposes, CA.pl works and has been around forever, though I’m sure there is better stuff out there.

          https://github.com/FiloSottile/mkcert is the way to go for that.

    • kylian0087@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      I am already using this for publick services i have things jellyfin.publick.com domains. Which works fine for that usecase. What I am looking for here is to make SSL work properly for services that are part of the 2 local domains. where the 2 controllers are authoritative of those 2 domains.