App Architectuture - SubDomains and certificates RRS feed

  • Question

  • Hi,

    I received a wildcard certificate for "*.myCompany.com".

    The production environment has a DC with domain myCompany.com

    The QA environment has a DC with domain myQAEnv

    In the QA environment, I have a webserver I need to expose to the internet and use the wildcard certificate to enable HTTPS. The webserver IP address is in the form 10.x.x.x which I think is a private address.

    I'm a developer, so I have have some doubts on this:

    -The wildcard certificate is issued to a DNS domain and has nothing to do with the internal organization DC domain name, wright?

    -Can I use that wildcard certificate "*.myCompany.com" to secure my QA webserver as long as I have the webserver with a public IP address corresponding to a DNS name in the form xxx.mycompany.com?

    -How to know if  the domain "myQAEnv" is a separate domain or is under a forest? I mean, how to know if it is internally a subdomain of myCompany.com?

    -What is the best way to secure communications between my QA webserver and my QA BackOffice server (API server)? I mean have the frontend server submit https calls to the BackOffice server ? Can I use my wildcard certificate to secure the communication between both servers or must I have other kind of certificate?

    -What about a mobile App, can I enable it to call my BackOffice server (API server) directly or should I force it to submit calls to the frontend server which will forward the call to the API server?

    Thank you so much,


    Wednesday, June 28, 2017 8:59 AM

All replies

  • I'll offer my view.

    If your QA Server is not accessed from a 'public' endpoint then use your own self-issued certs to test https. 

    WRT backoffice, I would consider two arguments. HTTPS is slower, but if security is you main concern then it makes sense to secure that too. However, it also makes sense to use a separate cert to the one used on the public endpoint. If the public machine is breached in some fashion, then it will provide another layer of access security. It's not foolproof so I wouldn't be complacent but it it's a help. 


    Thursday, June 29, 2017 6:37 AM