Hello everyone,

A bit of background on how things are configured: I have many local services and am in the process of setting up two local domains, namely local1.publick.com and local2.publick.com. I own the domain name publick.com and manage it through Cloudflare.

Local1 is for the Windows domain and is using Active Directory, while local2 is for the Linux domain and is using RHEL IDM.

Now, as I am also exploring Single Sign-On (SSO) with Keycloak and a few other things, I would like to properly set up SSL for all these subdomains. Can I configure two local certificate authorities? One for local1.public.com and another for local2.publick.com? I would then use these to create certificates for service.local1.publick.com and service.local2.publick.com. Since the AD domain controller and RHEL IDM controller are authoritative for these two domains, can I still integrate two CAs with this setup?

  • MSgtRedFox@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    One of the keys to selecting the solution from the provided answers is if you need this to be publicly trusted.

    I use an internal openssl ca root, created intermediate ca for each active directory domain or Forest. Also, I wanted to create internal PKI smart cards with yubikeys and his c1150 cards. For you know, fun.

    I didn’t care that other hosts don’t trust my stuff because all my hosts are configured with root ca, and I only use VPN for access.

    You want external trust, must do some of the other suggestions. Setting up internal CA is a chore with understanding AIA, CDP points, line of sight to PKI urls for renovation checking, more…