←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 5 comments | 05 Jan 22 12:42 UTC | HN request time: 0.759s | source
1. thrower123 ◴[05 Jan 22 15:09 UTC] No.29809874[source]
Is it that hard to setup an internal CA? I have no idea what I'm doing, and I managed one for years until we moved offices and ditched our LAN.
replies(2): >>29810066 #>>29812549 #
2. jeremyjh ◴[05 Jan 22 15:24 UTC] No.29810066[source]
The hard part is getting the root certificate in the trust store on every device in your organization.
replies(2): >>29810796 #>>29812568 #
3. tzs ◴[05 Jan 22 16:13 UTC] No.29810796[source]
Worse, it is often not the trust store on every device. It is often multiple trust stores on a device.

The OS might have one. Each browser might have its own. For a developer, each language they use might need separate configuration to get its libraries to use the certificate.

4. midasuni ◴[05 Jan 22 18:01 UTC] No.29812549[source]
That should worry the hell out of you.

If you could install CAs only for a certain domain (default to the name constraints but actually set in the browser/Os) that would be fine, but installing a CA gives anyone with access to that CA the ability to make pretty much any valid cert, and your potential lack of security raises flags

5. midasuni ◴[05 Jan 22 18:03 UTC] No.29812568[source]
Active Directory for windows, MDM for OSX and phones, custom package for linux.