←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source
Show context
imadethis ◴[05 Jan 22 14:27 UTC] No.29809315[source]
This seems like a perfect use case for wild card certs, especially if you have internal sites on a different (sub) domain from your prod servers. Yes, multiple servers have the same private key, but when the alternative is self-signed or no encryption, that is an easy trade off for me.
replies(3): >>29809569 #>>29811047 #>>29812720 #
justusthane ◴[05 Jan 22 14:46 UTC] No.29809569[source]
I don't know how LE does it, but at least with DigiCert (and I assume other commercial CAs), servers sharing the same wildcard cert don't have to share a private key. You generate a separate CSR from each server, and then request a duplicate copy of the wildcard cert using that CSR. That way they can have different SANs as well.
replies(2): >>29809759 #>>29811861 #
zrail ◴[05 Jan 22 15:00 UTC] No.29809759[source]
Wildcard certs are (only?) issued from DNS-01 challenges. As long as the requester can satisfy the DNS challenge ACME doesn't care about key uniqueness.
replies(2): >>29809856 #>>29810793 #
1. Spooky23 ◴[05 Jan 22 16:13 UTC] No.29810793[source]
With Digicert, you do a different API call “duplicate certificate” to avoid buying another cert unnecessarily.

I would consider it to be a best practice to keep unique keys as an SOP as it discourages bad behaviors, like keeping private keys accessible on file servers or even mail.