Comment by filleokus
3 years ago
Sadly, the answer is probably no (for the information leakage mentioned in the article).
But having an internal (even ACME API-supporting) CA is no walk in the park either. If you can swallow the trade off and design with publicly-known hostnames, I would highly recommend it.
There’s always some annoying device/software/framework requiring their own little config dance to insert the root cert. Like outbound-proxy configuration, but almost worse.
I don’t even want to imagine what would happen if/when the root key needs to be rotated due to some catastrophic HSM problem.
> Sadly, the answer is probably no (for the information leakage mentioned in the article).
Eh, even in large organisations of expert IT users, the internal CA ends up training users to ignore certificate warnings.
Sure, maybe the certificate is set up right on officially issued laptops - but the moment someone starts a container, or launches a virtual machine, or uses some weird tool with its own certificate store, or has a project that needs a raspberry pi, or the boss gets himself an ipad? They'll start seeing certificate errors.
IMHO the risks created by users learning to ignore warnings are much greater than the risks from some outsider knowing that nexus.example.com exists.
If you have a large organization your containers are based off the orgs containers which has the CA in it. Same with VMs, Java, .Net, etc.
Maintaining golden container/vm images with root cert customizations is a pretty complex task that needs constant maintenance and customizations for new runtimes. Also this does nothing for unofficial devices (byo laptops, byod smartphones, ceo's ipad, guest laptops).
3 replies →