How to set up certificate architecture for on-premise server-client application
We are currently shipping a product to our customers that is server-client-based running on Windows server 2016 (server) and Windows 10 (clients). The server is installed on-premise in our customer's infrastructure. We are always installing the server in our customer's network for our customer, but it runs on the HW from our customer and is also officially operated by him. The clients are installed by our customer.
We are using certificates to secure the traffic between server and client. The customer can chose to use their own certificates or we create a self-signed certificate when we install the solution on site.
I would like to improve the situation and provide a solution that works seamlessly for all customers. Currently the customer that don't want to take care of their own certificates get a self-signed certificate that is generated by our installation team. However, in order to not have a problem with man-in-the-middle-attacks our customer now would need to bring this certificate to all client PCs and install the server's certificate when installing our client application. Since the self-signed certificate cannot proof that it is coming from the server that I actually want to talk to I need to bring the certificate to the client. For me this feels like having a 1-time-password, passing it to the 2nd communication partner to make sure that I am talking to the right person/party.
Is there a better way?
I would be willing to pay money to issue a certificate for each of our servers that is operated on-premise inside of the customers network. But since it's not in our network I guess that we would have a problem with the FQDN as I cannot sign up for a server with a FQDN inside of my customer network which is hosted by my customer. I my mind I am comparing the user-experience of our solution with a web-service. Nobody wants to think about certificates when connecting to a webpage. The webpage provider should take care of that. Of course he does that requesting a certificate from a CA which is trusted by the customer and/or the operating system which runs the server. Also our customer doesn't want to think about certificates - he wants us to handle this. Any ideas?
Thanks in advance
J.
