First a bit of background. I have developed a web application to run inside a business environment. For the purposes of this question lets say it is at domain
pas.pas.local. It needs a ssl certificate and until now I have created a certificate authority and got that to sign a certificate for
pas.pas.local. The problem is the users have to install the certificate authorities certificate and its not an easy process to say the least.
So I have been thinking of using a trick that I have used at home before, namely I have purchased domain
pasv5.org.uk and have pointed
pas.pasv5.org.uk to an nginx server I have running in the cloud, and set up
certbot to collect a new certificate from letsencrypt on a regular basis. I then use cron from the server inside the business and ssh, to copy the certificates from my cloud server to its own key location internally.
The web server support this application will serve both
pas.pasv5.org.uk with the same files, but with different ssl certificates.
I am not in charge of the dns server inside the business, but I have made a request for them to alter the dns so requests to
pas.pasv5.org.uk are told its ip address is the ip address of the server (192.168.x.y). I do that at home for other domains and it works a treat. An internal server serves up with a valid ssl certificate, with a signature chain up to a known route.
However, there is a small problem which I don’t have at home. Remote users (either other offices or staff working from home) connect into the clinic via a vpn. One solution to this (and I have already implemented it to prove it works) is to edit the
Windowssystem32driversetchosts file to get it to respond to
pas.pasv5.org.uk with the correct 192.168.x.y address. However this is almost as bad as getting users to install the certificate authority certificate.
Is it possible to use proxy settings in the control panel to achieve the same thing?
Source: Windows Questions