> On Mar 7, 2017, at 2:21 AM, Traiano Welcome <[email protected]> wrote:
>
> I have a private DNS zone hosted on AWS route 53, only resolvable from
> within some specific VPCs.
> It appears some applications require an SSL certificate associated with
> the private DNS zone, and this SSL certificate should come from a trusted,
> external certificate provider (cannot be self-signed).
The "trusted external" CA that issues the not-self-signed end-entity cert
can almost certainly (with appropriate configuration of the client app)
be a private CA that you create and provide to the SSL clients.
In which case the question below is moot.
> My questions are:
>
> a) Is this a known use-case? i.e private dns zones requiring non-self-signed
> certificates?
I usually use private CA certs for use on non-public networks.
> b) Since the DNS zone is not resolvable on the public internet,
> how would the certificate validation process occur for applications
> communicating with systems in the private zone ?
There is some prior history of public CAs issuing certificates for
private namespaces, but IIRC this practice is discouraged and going
away.
> c) Do SSL certificate providers issue trusted SSL certificates for private
> DNS zones?
It is not really possible for them to know that the names in question
are used in another "private" deployment elsewhere.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
