What tools are available to obtain SSL certs from a CA for an isolated/airgapped system?
In the past, I have been able to leave the peculiarities of SSL certs to others, an mostly depend on self-signed certificates. That day has come to a close.
I need to step up and configure a secured but not airgapped (it can reach out, but nothing can reach in) cluster of servers built around RHEL/CentOS with validated SSL certs. There is no web server (nginx, apache, etc) on any of the machines, only internal application service invocations over SSL.
I have empirically confirmed that self-signed certificates are not accepted by the software.
All of the tools I have found so far require the server to be exposed (to the CA signing authority to confirm its authenticity I suppose), but by design we have no pathway from the outside world into the cluster being secured.
If it makes a difference, I am trying to obtain certs from zerossl.com. But I really don’t care where they come from.
My most recent attempt was this:
acme.sh --issue -d dev-9-myserver.mydomain.com --standalone --debug
The final output of the tool says status is pending, prior to timing out after 30 retries.
We cannot be the only people in the world who are applying SSL certificates to systems that are not exposed to the internet, so I’m looking for some direction.
What tools are available to obtain certs from a CA for an isolated/airgapped system?
Thank you in advance!
One possible way is to use so named wildcard certificates. Such certificate will work on all the machines in you domain (but not on subdomains). This certificate should be issued from the machine, accessible via internet (for validation) or via web interface of the CA. You can use this page as reference (details depend of your CA).
P.S. As per comment the command, used, can be:
acme.sh --issue --dns dns_ionos -d '*.mydomain.com'