Best practices for TLS certificate management on internal services
A technical guide on best practices for managing TLS certificates for internal services. The article argues against using self-signed certificates (which cause browser errors and headaches) and instead recommends using a public CA (like Let's Encrypt) with DNS-01 challenges for internal services, combined with proper domain management using either ICANN-restricted private TLDs (like .internal) or owned public apex domains. It walks through practical setup examples for services like Grafana, covering DNS configuration, certificate issuance, and automation to avoid common pitfalls.
Key quotes
Let's start with a simple example — we have a server which hosts bunch of HTTP services.
We use top-level domain restricted by ICANN for private use — e.g. .internal.
We use a public apex domain that we own — e.g. tuxnet.dev
From the article
You might also wanna read

SSL/TLS - Manage mTLS and BYO CA certificates from the Cloudflare dashboard

Hyperdrive - Hyperdrive now supports custom TLS/SSL certificates
How HTTPS and TLS Handshakes Actually Work: Understanding Certificate Validation, Cipher Negotiation, and Common Security Pitfalls
This article explains how HTTPS and TLS actually work under the hood, debunking common misconceptions about the padlock icon and browser sec
undercodetesting.com·23d agoHow Observability, Short-Lived Credentials, and Enforcement Saved the Web's Certificate Trust Model
This article examines how the web's Certificate Authority (CA) trust model has survived over a decade of security breaches, misissued certif
Large-Scale Study Finds 0% Adoption of Post-Quantum Certificates Across 32,011 Domains
This research paper presents a large-scale empirical evaluation of post-quantum readiness across 32,011 domains, focusing on real-world TLS


Comments
Sign in to join the conversation.
No comments yet. Be the first.