Is it a good idea to reuse certificate issued by public CA for internal database client authentication?
Let's say we have:
- Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let's Encrypt) with both server auth and client auth usages.
- A database using mutual TLS to authenticate itself and clients (and encrypt communication, obviously).
The API web server needs to authenticate to the database. We can create and manage a private PKI to issue certificates for database client authentication, but that's a hassle. What's stopping us from configuring the database to trust Let's Encrypt for client verification, adding a user with common name = api.example.com and reusing the api.example.com server certificate to authenticate as a client to the database (the certificate has client authentication in extended usages).
Are there any drawbacks to this scheme? Would we be compromising security in any way? The only problem I see is that if an attacker has gained access to alter DNS records, he can obtain a certificate for api.example.com and therefore have valid credentaials to authenticate to the database. Still, certificate issuance will be noticed (thanks to certificate transparency) and an attacker would need to gain network access to the database (it's not publicly exposed).
