←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 4 comments | 05 Jan 22 12:42 UTC | HN request time: 0.007s | source
Show context
tomc1985 ◴[05 Jan 22 16:05 UTC] No.29810658[source]
Why not just be your own signing authority for internal domains? You can propagate your toplevel public cert with most enterprise network provisioning tools.
replies(2): >>29810766 #>>29811122 #
YPPH ◴[05 Jan 22 16:11 UTC] No.29810766[source]
Running your own PKI is fairly straightforward, particularly with tools like cfssl at your disposal.

But running your own PKI properly is quite hard.

Let's Encrypt gives you top tier PKI management for $0.

replies(3): >>29810878 #>>29811090 #>>29815154 #
1. justin_oaks ◴[05 Jan 22 16:17 UTC] No.29810878[source]
How do you define "properly"? What are some of the things someone can do wrong that Let's Encrypt does correctly?
replies(1): >>29811009 #
2. YPPH ◴[05 Jan 22 16:26 UTC] No.29811009[source]
Root certificate stored on offline HSM and intermediates on secure infrastructure. FIPS compliance. (Relatively) reliable revocation services. [See note 0]

The result is security of issuance, that is near complete confidence that certificates will only be used for controlled domains (not necessary if you want to MITM of course).

Also, ACME is generally easier and more reliable than other certificate rollover processes I've seen. I'm not sure if there's in-house PKI tools supporting it?

Depends on your organisation size though. Maybe your in-house PKI is fine, but it's not for everyone!

[Note 0] Revocation is of course a mess. Let's Encrypt isn't without fault either, particularly when used internally, since OCSP responders will need to be accessible from client devices.

replies(1): >>29811200 #
3. Spivak ◴[05 Jan 22 16:37 UTC] No.29811200[source]
I mean sure but an org doesn’t really need that much security. If you’re not taking that much care with your API keys and db passwords then you probably don’t need it for certs either. Keep your root CA offline and in an air gapped backup, issue team specific intermediates with med length and keep your endpoint certs short.

You need as much security on your CA as the accounts in your org with the authority to replace them with your provisioning tools.

replies(1): >>29813208 #
4. ratorx ◴[05 Jan 22 18:49 UTC] No.29813208{3}[source]
That reasoning goes back around. If you don’t need that much security and are fine with exposing internal hostnames via CT logs, then Let’s Encrypt can be nicer (no internal CA to maintain).

It’s just that very specific bit in the middle, where you don’t want to expose the internal hostnames but don’t need top-tier security where having a private CA is worthwhile (assuming outbound internet connectivity to Lets Encrypt is allowed).