Re: Non-self-signed SSL certificates for private hosted DNS zones

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Mar 7, 2017, at 2:21 AM, Traiano Welcome <traiano@xxxxxxxxx> wrote:
> 
> I have a private DNS zone hosted on AWS route 53, only resolvable from
> within some specific VPCs.
> It appears some applications require an SSL certificate associated with
> the private DNS zone, and this SSL certificate should come from a trusted,
> external certificate provider (cannot be self-signed).

The "trusted external" CA that issues the not-self-signed end-entity cert
can almost certainly (with appropriate configuration of the client app)
be a private CA that you create and provide to the SSL clients.

In which case the question below is moot.

> My questions are:
> 
> a) Is this a known use-case? i.e private dns zones requiring non-self-signed
> certificates?

I usually use private CA certs for use on non-public networks.

> b) Since the DNS zone is not resolvable on the public internet,
> how would the certificate validation process occur for applications
> communicating with systems in the private zone ?

There is some prior history of public CAs issuing certificates for
private namespaces, but IIRC this practice is discouraged and going
away.

> c) Do SSL certificate providers issue trusted SSL certificates  for private DNS zones?

It is not really possible for them to know that the names in question
are used in another "private" deployment elsewhere.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux