TLS certificates on a network drive/storage
For educational purposes, I am assembling a private network to act as a small sized company using BIND9 and OpenLDAP on FreeBSD 14.1 machines.
The private networks' DNS servers, NS1 on 172.21.0.20 and NS2 on 172.21.0.10, map the internal domains used by client machines (registered for operation) to locate targeted services, e.g. ldap.edu.com (residing on 172.21.1.100).
Now that the LDAP authentication and DNS services are running, I am facing the issue of unencrpyted traffic within the private network itself! So the next step is to implement the use of encrpyted DNS and an encrpyted LDAP connection. I also know that private keys never leave the machines where they have been generated on, so I create a TLS certificate on my master DNS machine and another one on my LDAP machine which I need to hand over to the clients!
However, imagine I'd have to manage 250 client machines at this point. It would be very stressful to rsync/hand over newly issued certificates, especially each time before the old certificate would soon expire... Unfortunately, FreeBSD and FOSS in general do not offer great synchronisation utilities for such cases as far as I am aware of. Creating a rsync cronjob would require me to leave a password somewhere in a script file, bad idea!
So I wonder and ask myself, with that background information you hereby got, would it be fine to store the certificates required for each service (DNS & LDAP) on a network storage/drive to which each client machine has access to, or would that be a major security risk?
I am very curious about your viewpoints and thank you for your answers in advance!
