designetwork(EN)

IT technical memo of networking

How to proceed with local domain SSL certificates

f:id:daichi703n:20161215234122j:plain

Used as internal domain (Internal Domain Name) .Local. In many cases it uses local domains such as test.local and test.internal.

Describe the problem of "How to do SSL certificate" which is one of problems occurring while using local domain?

.local Certificate issue for domain

As detailed here

Internal Server Name SSL Certificate Issuance After 2015

As an overview, domains such as .local and .internal are not officially recognized as generic top level domains (gTLD: generic Top Level Domain) (.com, .jp etc.). Together with that, its certification can not be done publicly, and certificates can not be issued from public institutions.

In terms of security, local domains can be used independently by each company, so unlike on the Internet uniqueness is not guaranteed, there is a possibility of duplication. Due to this, problems such as spoofing occur.

Workaround

Here is the recommended method for local domain SSL certificate.

The contents of the description are as follows

Options for Internal or Local SSL Certificates

So what can you do if you have servers with internal names and/or reserved IPs that you want to secure with SSL? There are a couple options:

  • Migrating to registered domain names - a good long term option and allows you to continue getting certificates from your preferred trusted CA provider.
  • Setting up and running your own enterprise CA – however, this comes with the costs of procuring, configuring and running your own CA and OCSP services.
  • Using self-signed SSL Certificates – however, this is only good in very limited environments (e.g. test servers). It teaches users to ignore important browser warnings which can lead to security issues if they accept self-signed certificates outside of their company.
  • Obtaining SSL Certificates under non-public roots from your trusted CA provider – this is a good option if you want to continue using unqualified names, but don’t want to run your own CA or rely on self-signed certificates.

If possible, migration to the registered domain is recommended. It seems to be good to use domains that are basically acquired on the Internet basically at the time of new design.

For local environments it is also allowed to use a self-signed SSL certificate (Meme certificate).

Conclusion - How to proceed with local domain SSL certificates

In the case where a local domain SSL certificate is required, it is better to change to a domain acquired by the organization instead of the local domain.

In local and interim environments such as development environment and verification environment, applying a self-signed certificate (Meme certificate) etc is one of the countermeasures.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork