←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 3 comments | 05 Jan 22 12:42 UTC | HN request time: 0.64s | source
Show context
meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]
I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.
replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #
mrweasel ◴[05 Jan 22 14:25 UTC] No.29809289[source]
What I'd want is an internal CA, like step-ca, but have the certificates signed by a "real" CA, so I don't have to distribute my own root CA certificate.
replies(7): >>29809419 #>>29809851 #>>29809903 #>>29810475 #>>29810488 #>>29811401 #>>29812390 #
1. filleokus ◴[05 Jan 22 14:34 UTC] No.29809419[source]
The dream would truly be an internal CA backed by a publicly trusted subordinate cert (limited to the domain you control). But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.
replies(2): >>29809476 #>>29811436 #
2. ◴[05 Jan 22 14:38 UTC] No.29809476[source]
3. throw0101a ◴[05 Jan 22 16:54 UTC] No.29811436[source]
> But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.

For those curious about this extension, see RFC 5280 § 4.2.1.10:

* https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10