←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 2 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source
Show context
tomc1985 ◴[05 Jan 22 16:05 UTC] No.29810658[source]
Why not just be your own signing authority for internal domains? You can propagate your toplevel public cert with most enterprise network provisioning tools.
replies(2): >>29810766 #>>29811122 #
YPPH ◴[05 Jan 22 16:11 UTC] No.29810766[source]
Running your own PKI is fairly straightforward, particularly with tools like cfssl at your disposal.

But running your own PKI properly is quite hard.

Let's Encrypt gives you top tier PKI management for $0.

replies(3): >>29810878 #>>29811090 #>>29815154 #
silvestrov ◴[05 Jan 22 16:31 UTC] No.29811090[source]
A business case for Let's Encrypt is to support internal hosts which are not visible on the internet (Let's Encrypt can check that) and omit the hostnames from the Certificate Transparency Logs.

Let a business pay $100/year for 10 internal hostnames.

replies(1): >>29811457 #
1. cmeacham98 ◴[05 Jan 22 16:55 UTC] No.29811457[source]
I'm fairly certain LE is required to emit signed certificates to CT by the CA/B forum baseline requirements, with no "internal only" exception.

In other words, if they do this they will be untrusted in browsers. They could offer this service on a secondary untrusted root if they wanted.

replies(1): >>29813785 #
2. jopsen ◴[05 Jan 22 19:35 UTC] No.29813785[source]
They could augment the CT spec, such that only a hash of the domain needs to be made public.

Would be a great way to found LE :)