(shkspr.mobi)

238 points edent | 2 comments | 05 Jan 22 12:42 UTC | HN request time: 0.001s | source

Show context

imadethis ◴[05 Jan 22 14:27 UTC] No.29809315[source]▶

This seems like a perfect use case for wild card certs, especially if you have internal sites on a different (sub) domain from your prod servers. Yes, multiple servers have the same private key, but when the alternative is self-signed or no encryption, that is an easy trade off for me.

replies(3): >>29809569 #>>29811047 #>>29812720 #

silvestrov ◴[05 Jan 22 16:29 UTC] No.29811047[source]▶

>>29809315 #

> perfect use case for wild card certs

I don't like distributing wild card certs as you then have a bigger problem if the cert is leaked.

When the cert is host specific you immediately know where the leak comes from and the scope of the leak is restricted.

replies(1): >>29812331 #

1. sigjuice ◴[05 Jan 22 17:49 UTC] No.29812331[source]▶

>>29811047 #

Yes, the scope of the leak would be limited. But if a privkey.pem file from one of the hosts of my network is leaked, how do I “immediately” know which host the leak came from?

replies(1): >>29815587 #

2. ◴[05 Jan 22 21:56 UTC] No.29815587[source]▶

>>29812331 (TP) #

↑

Should you use Let's Encrypt for internal hostnames?