←back to thread

.INTERNAL is now reserved for private-use applications

(www.icann.org)
563 points joncfoo | 1 comments | 09 Aug 24 16:36 UTC | HN request time: 0.204s | source
Show context
xvilo ◴[09 Aug 24 21:34 UTC] No.41205561[source]
Any ideas on how you would run SSL/TLS on these set-ups?
replies(4): >>41205597 #>>41205600 #>>41206406 #>>41208111 #
1. jeroenhd ◴[10 Aug 24 00:03 UTC] No.41206406[source]
An internal certificate authority would probably be the easiest option. Combined with MDM/group policy, you could tell most devices in your network to set up a trust chain of your own. From then on you can automate access by running your own ACME server internally to automatically hand out certificates to local devices.

The automated setup probably isn't very secure, though. Anyone can register any .local name on the network, so spoofing hostnames becomes very easy once you get access to any device on the network. Send a fax with a bad JPEG and suddenly your office printer becomes xvilo.local, and the ACME server has no way to determine that it's not.

That means you probably need to deal with manual certificate generation, manually renewing your certificates every two years (and, if you're like me, forgetting to before they expire).