wildcard certs and .local domains
Posted by plump-lamp@reddit | sysadmin | View on Reddit | 46 comments
We have hundreds of devices from drac, ilo, ucs, storage appliance, printers, network devices that all have self signed certs managed by a very very small team. If our internal domain we use is a .local is there any real risk to using a wildcard cert and applying it to all these devices? Cert would be kept in our PAM and securely stored.
illicITparameters@reddit
.local ad forest is the universal sign a boomer was here.....
Blyatman95@reddit
I was admittedly taught by boomers and have never been told otherwise. Why not use .local? Why does it matter?
Not saying I’m right, just don’t understand the problem.
Iuzzolsa23@reddit
Nowadays .local is used by mDNS so you shouldn’t assign it to your AD domains.
Blyatman95@reddit
Thanks for the reply! I’m off to google what mDNS is.
Critical-King-7349@reddit
So what do you do with a domain that was created during that time, so many must still be out there.
.local was the way and once the guidance changed it way too late for many.
It's just not worth the effort to move for the benefit.
Roll out your a CA and wait until the cloud takes over.
Full azure join, maybe Entra one day 🤔
Iuzzolsa23@reddit
You can add a new UPN-Suffix in AD with the public TLD, change all user accounts and then use Entra Connect to merge it with Entra AD.
Or just keep them separate.
Critical-King-7349@reddit
We are 90% + cloud now.
MS made it nice and easy with the UPN changes for users.
It's just servers and computers that will always be . local at least no more domain joined computers for the last year.
The joys of legacy stuff.
Looking at all the nice SOA changes MS are making won't be long until it's going to be easy (ish) to move fully cloud.
Iuzzolsa23@reddit
Come on, man. I'm a Millenial and I was still told to use .local when starting in IT... (Microsoft recommended it until Windows Server 2008)
encbladexp@reddit
First you should avoid using
.local, which should be used only for mDNS/Zeroconf/Avahi.Also you should not have a single wildcard cert, deployed to all of your device at the same time.
VineMan77@reddit
how do you move away if your DCs are .local ?
k1ll3rwabb1t@reddit
You need to make a new domain, set up a trust and migrate objects, or rename it. Which you can do, it's supported now but is a big bang vs slowly moving objects over a trust and then decom the old domain.
VineMan77@reddit
this is on my home lab - I've been wanting to play w. Server 2025 - so might be a good excuse to start
k1ll3rwabb1t@reddit
If it's your homelab I'd just do the DNS rename, anything that breaks let's you know what to look for in a prod environment.
VineMan77@reddit
I might just do the new domain - and migrate/trust so I can learn along the way.
Syde80@reddit
Have you ever had exchange installed on the domain? If "no" you might be able to use the domain name renaming tool if it still exists, you'll want to cross all your fingers and toes. If "yes" or you just don't want to roll the dice... You build a new domain, setup a trust and migrate the users and computers across.
I've done the second option once before, it was a smallish network and we did it because previous person had built the domain on a public domain name that they didn't actually own. Even on a smallish network it was alot to figure out and took a lot of planning and testing to have it go smoothly. It still wasn't hiccup free. I don't want to ever have to do it again, but it was worth it.
VineMan77@reddit
No never had exchange on it. I might do the second option - just to learn.
Arudinne@reddit
Yeah, tell that to the two domains I inherited that use .local.
AmiDeplorabilis@reddit
I feel your pain.
Arudinne@reddit
No pain at all, really. Everything works just fine.
Nothing in our environment uses mDNS/Zeroconf/Avahi.
The handful of Mac users, myself included are able to access things just fine.
The only issue I've come accross is that Devolutions RDM doesn't really like in more recent versions, but Royal TSX works just fine, so my team is switching to that.
AmiDeplorabilis@reddit
That sounds hopeful... I started managing .local domain last year and am doing lots of cleanup, and that's one of my tasks/goals. No mDNS/Zerocong/Avahi involved... maybe it'll be easier than I imagine, especially if I leave the name intact and only migrate the .local to .com, but which doesn’t match the website name.
Nu11u5@reddit
It used to be the recommended domain suffix for Active Directory even before mDNS was a thing.
Entegy@reddit
I thought that had changed for Windows Server 2003?
thewunderbar@reddit
any Active Directory domain that's existed since the 90's or early 2000's is almost certainly a .local
thewunderbar@reddit
Funny story. Where I work now, it's .priv, becuase its private.
Arudinne@reddit
At opposed to .private which is actually reservered for such uses?
Syde80@reddit
Microsoft used to recommend using .local, Infact Sever SBS 2008/11 defaulted to a .local domain. Lots of places out there will still have this legacy config because it used to be considered best practice.
ofd227@reddit
I had one that also had 2 underscores in it. Fun fact underscores in domain names cause absolute hell.
thewunderbar@reddit
I'm so, so, sorry.
ofd227@reddit
Im long gone from there. Last I knew they were still stuck in it. It had 2 underscores AND exceeded 15 characters. This was also a major facility. Like 1500 endpoints
plump-lamp@reddit (OP)
You wanna change that for 1000+ users, hundreds of servers? Already understaffed, imagine spending over a year changing that because we "shouldn't" use it.
disposeable1200@reddit
Well good luck getting a public cert
Gonna have to roll your own CA which is such a pain
mike9874@reddit
I've worked in enough places to know this reply isn't talking about an actual issue.
Public certs on iLo/iDRAC/IPMI in a large commercial enterprise environment? Why?
Aversion to your own internal CA? That's a red flag, there are many benefits to it
Arudinne@reddit
plump-lamp@reddit (OP)
We have a public .com domain for web services. Works fine, entra even syncs from our .local domain users. Public certs are purchased from a provider
Syde80@reddit
Microsoft used to recommend using .local, Infact Sever SBS 2008/11 defaulted to a .local domain. Lots of places out there will still have this legacy config because it used to be considered best practice.
Lazy_Owl987@reddit
Tech debt alone makes one wild card cert to rule them all a bad idea. Where is it deployed and who is using it etc...
ADynes@reddit
Literally just did this a month or so ago. Created a new web server certificate on our certificate authority with a 15-year default expiration. Created new requests for each device. Worked out great.
siedenburg2@reddit
You should at least use normal local signed certs (local only pki) to get a cert per device, else you will decommision hardware later with your wildcard cert intact and that could be used to deploy a mitm service in your domain to get data etc.
plump-lamp@reddit (OP)
genuine question, outline how if we decomissioned some hardware with that cert still attached to say, iLO, how would the person who becomes in possession of it be able to MITM with the .local off the network?
TheBlueFireKing@reddit
Get the certificate off the device. When the attacker is connected to your network he can try to intercept and change any traffic that is between devices using that wildcard certificate. You can do that by either playing DHCP Server or DNS server on your network. You can also abuse older protocols like NETBIOS on Windows to trick Windows with just a typo.
E.g. he pretends to be Server XY and can do so because he has the wildcard certificate to prove it. Now the target clients connects to the attackers server and phish a password for example.
Yes there are several "if's". Security is about layers. But not everyone has a NAC system or other measure on every layer.
A certificate needs protection just like any password.
siedenburg2@reddit
It's only theoretical, but if the wrong person buys/get the decomissioned hardware chances are there that ever information they get is either used, stored or sold for such activities.
The attacker needs to get your cert and into your systems, but sometimes if they have stuff like such a cert they try to get into the system because other stuff would be easier.
And if you have audits or insurance, they don't like to see that.
pv2b@reddit
Don't use wildcard certs. Even putting aside the obvious security implications, what's going to happen is that this wildcard certificate is going to expire, and when it does, you'll have no idea where your wildcard certificate is deployed.
Yes, this even applies if you make the certificate lifetime 5 or 10 years.
Arudinne@reddit
I'm using a Let's Encrypt wildcard cert for my iDRACS. It's all automated.
One script keeps the cert up-to-date and uploads it to 1Password when it needs to be updated.
A second script checks the iDRACs and pulls it from 1Password as needed.
plump-lamp@reddit (OP)
If you use it everywhere... technically you know where it is deployed
After-Vacation-2146@reddit
Wildcard certs aren’t best practice. If one gets popped, everything is popped. Setup an internal CA with tld .internal, and issue certs that way. They can be long lived but make them separate.
mixduptransistor@reddit
other than not being publicly trusted and having to handle deploying CA root certs for your .local domain, nope, not really that big of a risk