Description:
The current implementation of Onyxia uses wildcard domains (e.g., *.datalab.fr) to expose services. However, this approach conflicts with ANSSI (Agence nationale de la sécurité des systèmes d'information) guidelines, which prohibit government-approved Certificate Authorities (CAs) from issuing wildcard certificates.
As a result, it is not possible to deploy Onyxia with official French government URLs, since those CAs no longer provide wildcard certificate.
page 15
anssi-fondamentaux-securisation-acme-v1-0.pdf
Proposed Solution:
To ensure compatibility with ANSSI-compliant environments, it would be beneficial to introduce a mechanism that proxies the traffic internally. This would remove the need for wildcard certificates and allow services to be exposed under individually named subdomains or paths, in accordance with CA policies.
Description:
The current implementation of Onyxia uses wildcard domains (e.g., *.datalab.fr) to expose services. However, this approach conflicts with ANSSI (Agence nationale de la sécurité des systèmes d'information) guidelines, which prohibit government-approved Certificate Authorities (CAs) from issuing wildcard certificates.
As a result, it is not possible to deploy Onyxia with official French government URLs, since those CAs no longer provide wildcard certificate.
page 15
anssi-fondamentaux-securisation-acme-v1-0.pdf
Proposed Solution:
To ensure compatibility with ANSSI-compliant environments, it would be beneficial to introduce a mechanism that proxies the traffic internally. This would remove the need for wildcard certificates and allow services to be exposed under individually named subdomains or paths, in accordance with CA policies.