0

Hi I am working with a very basic Active Directory setup, which unfortunately is name mydomain.local which means I can't get an SSL cert. I bought one for an external domain mydomain.click. I basically created a DNS zone in AD DNS for mydomain.click and point it at the relevent IP. On my test environment this works. But are there any unintended problems from doing this? Or better solutions?

user1102550
  • 189
  • 1
  • 6
  • If all your computers are domain joined it doesn't matter that your AD domain does not correspond to a domain name you actually own (with regards to SSL certs). Simply set up your own CA service. See for instance http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting – HBruijn Aug 25 '16 at 20:15
  • Hi that link was about IP subnetting, I'm a developer and not a network guy so wasn't sure how it related. I couldn't change the domain, I don't have the skills to do it, I believe it's a really big job and the client wouldn't want it. I could go down the CA route but it's more work. If it's the best solution then I'm open to it but I can get this to work I just want some guidence if it will cause a problem further down the line or it's just something an experienced network guy would see as a bit of a hack but generally harmless. – user1102550 Aug 25 '16 at 21:01
  • The wrong thing in my paste buffer, sorry! I think this is what I intended to link to http://serverfault.com/questions/358994/distribution-of-root-certificate-with-windows-ad-certificate-services – HBruijn Aug 25 '16 at 21:27
  • What are you actually trying to accomplish with an SSL certificate? – user5870571 Aug 25 '16 at 22:47
  • It sounds like this is related to the website for your domain name. If so, then it isn't related to AD at all. If this SSL is meant to secure your public website then use the website name for the certificate and install the ceritficate on your web server. – joeqwerty Aug 26 '16 at 00:10
  • You can't get get ssl certs for internal domains (e.g. mydomain.com) so I bought one for an external domain we have but don't use (e.g. mydomain.info). I am using the AD DNS Zone to associate my internal intranet app's IP with that domain so I can use that cert. Basically is it safe to use a DNS Zone/Host Entry purely to create an additional DNS entry for our network. I'm open to other suggestions for the future but I'm happy to use this as an approach as long as it doesn't have any weird side effects. – user1102550 Aug 26 '16 at 07:45
  • It's my understanding that an IIS 8 that if the ssl cert is bought for mydomain.info the user needs to access the site via that URL which in the case of the customer means an internal DNS entry - somewhere. Is my understanding correct? – user1102550 Aug 26 '16 at 07:54

1 Answers1

1

Yes, the certificate Common Name must match the website name.

You've kind of made this harder for yourself and you've spent money that you didn't need to spend. You could have issued a self-signed certificate for your internal web site and deployed that self-signed certificate to your domain clients with Group Policy.

You could also have set up your own internal Certificate Authority for this purpose.

To answer your question, yes you can create a DNS zone for this.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171