(shkspr.mobi)

238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0.403s | source

Show context

meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]▶

I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.

replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #

mrweasel ◴[05 Jan 22 14:25 UTC] No.29809289[source]▶

What I'd want is an internal CA, like step-ca, but have the certificates signed by a "real" CA, so I don't have to distribute my own root CA certificate.

replies(7): >>29809419 #>>29809851 #>>29809903 #>>29810475 #>>29810488 #>>29811401 #>>29812390 #

1. dsr_ ◴[05 Jan 22 15:12 UTC] No.29809903[source]▶

>>29809289 #

That would be a violation of the real CA's duty to only sign certs that they have some basis for believing are correct. (This basis almost always boils down to "controls the DNS".)

↑

Should you use Let's Encrypt for internal hostnames?