:: krowemoh

Friday | 13 DEC 2024
Posts Links Other About Now

previous
next

Local Domain with SSL

2023-07-12
sysadmin

The real reason I used dnsmasq was to get ssl certificates set up for my local network. This post will outline the logic of it as I haven't fully fleshed out my ideas yet.

SSL certificates can only be generated for named domains and part of the process is also proving ownership of that name. This is why we need to set DNS records with special keys, this proves ownership. Once we have proved that we own a domain, the certificate provider will sign a certificate with the verified name.

We can then take this certificate and key and use that on our server. In the normal case we would use it on a web server. If we visit that site with the verified name we can then get the https version of that site. However if the name doesn't match we will get a warning.

This means that we can generate an SSL certificate for any name we want and as long as we can prove we own it we can get a real ssl certificate for it.

We can then take this certificate and put it on a local only server. If we visit that server by IP, we will get a warning that the name does not match what is on the certificate.

This is where dnsmasq comes in, we can set up a name server on our local network that will hand out the server's ip when a specific name is used. Now if this name matches what we have already proven to own and generated a certificate for, we can then use our certificate on our local only machine.

This was a fun project to work through as all the pieces were things I knew but I didn't put them together until I saw someone mention it in a comment on HN. I think a single sentence triggered the entire thing which was quite amazing.

I have now got it working as a manual process, the next step would be to automate everything so that I don't have to worry about renewing and transfering certificates from one place to another.