(shkspr.mobi)

238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0.203s | source

Show context

meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]▶

I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.

replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #

mrweasel ◴[05 Jan 22 14:25 UTC] No.29809289[source]▶

What I'd want is an internal CA, like step-ca, but have the certificates signed by a "real" CA, so I don't have to distribute my own root CA certificate.

replies(7): >>29809419 #>>29809851 #>>29809903 #>>29810475 #>>29810488 #>>29811401 #>>29812390 #

filleokus ◴[05 Jan 22 14:34 UTC] No.29809419[source]▶

>>29809289 #

The dream would truly be an internal CA backed by a publicly trusted subordinate cert (limited to the domain you control). But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.

replies(2): >>29809476 #>>29811436 #

1. ◴[05 Jan 22 14:38 UTC] No.29809476[source]▶

>>29809419 #

↑

Should you use Let's Encrypt for internal hostnames?