Comment by zrail
3 years ago
Wildcard certs are (only?) issued from DNS-01 challenges. As long as the requester can satisfy the DNS challenge ACME doesn't care about key uniqueness.
3 years ago
Wildcard certs are (only?) issued from DNS-01 challenges. As long as the requester can satisfy the DNS challenge ACME doesn't care about key uniqueness.
With Digicert, you do a different API call “duplicate certificate” to avoid buying another cert unnecessarily.
I would consider it to be a best practice to keep unique keys as an SOP as it discourages bad behaviors, like keeping private keys accessible on file servers or even mail.
Right. If you control the DNS, you can point names at any IP address and get appropriate certs for them. Therefore, you must protect your DNS infrastructure.
Isn't the need to protect your DNS infrastructure pretty obvious anyways even when ignoring certificate validation?
Besides, if I can change your DNS, I can change your HTTP responses as well. So control over DNS already lets me get a lets-encrypt cert for you anyway. Though it is slightly easier to notice if someone changes your DNS to point to a different server than if someone adds a TXT record. I say slightly because if I change your DNS to point at my server I can just proxy requests to your old server so everything still looks like it works.
Heck, even with most other certificate issuers I can get a cert in similar ways when controlling DNS.
1 reply →
Obvious, but tend to be missed on small deployments.