←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0.216s | source
Show context
meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]
I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.
replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #
mrweasel ◴[05 Jan 22 14:25 UTC] No.29809289[source]
What I'd want is an internal CA, like step-ca, but have the certificates signed by a "real" CA, so I don't have to distribute my own root CA certificate.
replies(7): >>29809419 #>>29809851 #>>29809903 #>>29810475 #>>29810488 #>>29811401 #>>29812390 #
1. nym375 ◴[05 Jan 22 17:52 UTC] No.29812390[source]
You really don't actually want this. This intermediate CA would still be subject to the same extensive CAB Forum / vendor root program requirements (audited yearly via WebTrust) as a root CA. There are a ton of requirements, including mandatory response times, that inevitably makes this require a fully staffed team to operate.