[openssl-users] Non-self-signed SSL certificates for private hosted DNS zones

Viktor Dukhovni openssl-users at dukhovni.org
Tue Mar 7 15:16:35 UTC 2017

> On Mar 7, 2017, at 2:21 AM, Traiano Welcome <traiano at gmail.com> wrote:
> I have a private DNS zone hosted on AWS route 53, only resolvable from
> within some specific VPCs.
> It appears some applications require an SSL certificate associated with
> the private DNS zone, and this SSL certificate should come from a trusted,
> external certificate provider (cannot be self-signed).

The "trusted external" CA that issues the not-self-signed end-entity cert
can almost certainly (with appropriate configuration of the client app)
be a private CA that you create and provide to the SSL clients.

In which case the question below is moot.

> My questions are:
> a) Is this a known use-case? i.e private dns zones requiring non-self-signed
> certificates?

I usually use private CA certs for use on non-public networks.

> b) Since the DNS zone is not resolvable on the public internet,
> how would the certificate validation process occur for applications
> communicating with systems in the private zone ?

There is some prior history of public CAs issuing certificates for
private namespaces, but IIRC this practice is discouraged and going

> c) Do SSL certificate providers issue trusted SSL certificates  for private DNS zones?

It is not really possible for them to know that the names in question
are used in another "private" deployment elsewhere.


More information about the openssl-users mailing list