2

Curious to know the security implications and potential risks involved with getting a CA signed cert for localdev.mydomain.com, and issuing it to all the developers who might need to spin up a local SSL server.

Since the key will likely see wide internal distribution, there's a fair chance it could escape into the wild. If so, what could it be used for?

The attack vectors described here, I think, don't apply to local development.

Another potential concern is a malicious party using it on the public internet, but since *.mydomain.com is already owned, said party could not create a website at localdev.mydomain.com - effectively rendering the key useless to them. Yes?

Community
  • 1
Tinclon
  • 121
  • 1
  • Usually this type of thing (certs for development urls) is handled by an internal CA and that root cert is installed on developer's machines. Doing so is usually quicker, easier, and cheaper than getting a cert from a public CA. And if it is mishandled (someone bad gets it and uses it for an attack) the general public won't be at risk and you can revoke it as soon as you find out that its compromised. – Owen Jul 31 '15 at 16:05
  • 1
    Similar, but quite quite the same as [What are the risks of a localhost signed cerificate?](http://security.stackexchange.com/q/35033/12). – Xander Jul 31 '15 at 16:05
  • Though the internal CA works, installing the root cert on each machine is more of a pain than just checking a CA-signed cert into the repo to live with the code. Also, if trying to get, say, a local node server to talk to a local tomcat server, each server may have its own trust chain (independent of the OS), and so the root cert of the internal CA would have to also be installed in each trust store - also much more painful than just getting a CA-signed cert. – Tinclon Jul 31 '15 at 19:48

0 Answers0