← Back to context

Comment by tomc1985

3 years ago

Why not just be your own signing authority for internal domains? You can propagate your toplevel public cert with most enterprise network provisioning tools.

10 comments

tomc1985

Reply
reincarnate0x14  3 years ago

Not only is running your own CA a pain, there is also minimal support for restricting CA scope validity, so anyone that needs to communicate with you effectively ends up trusting your CA for anything and everything. For most anyone except your own trusting partners or coworkers that's a complete non-starter.

YPPH  3 years ago

Running your own PKI is fairly straightforward, particularly with tools like cfssl at your disposal.

But running your own PKI properly is quite hard.

Let's Encrypt gives you top tier PKI management for $0.

  • justin_oaks  3 years ago

    How do you define "properly"? What are some of the things someone can do wrong that Let's Encrypt does correctly?

    • YPPH  3 years ago

      Root certificate stored on offline HSM and intermediates on secure infrastructure. FIPS compliance. (Relatively) reliable revocation services. [See note 0]

      The result is security of issuance, that is near complete confidence that certificates will only be used for controlled domains (not necessary if you want to MITM of course).

      Also, ACME is generally easier and more reliable than other certificate rollover processes I've seen. I'm not sure if there's in-house PKI tools supporting it?

      Depends on your organisation size though. Maybe your in-house PKI is fine, but it's not for everyone!

      [Note 0] Revocation is of course a mess. Let's Encrypt isn't without fault either, particularly when used internally, since OCSP responders will need to be accessible from client devices.

      2 replies →

  • silvestrov  3 years ago

    A business case for Let's Encrypt is to support internal hosts which are not visible on the internet (Let's Encrypt can check that) and omit the hostnames from the Certificate Transparency Logs.

    Let a business pay $100/year for 10 internal hostnames.

    • cmeacham98  3 years ago

      I'm fairly certain LE is required to emit signed certificates to CT by the CA/B forum baseline requirements, with no "internal only" exception.

      In other words, if they do this they will be untrusted in browsers. They could offer this service on a secondary untrusted root if they wanted.

      1 reply →

  • amelius  3 years ago

    > Let's Encrypt gives you top tier PKI management for $0.

    Ok, but it fails at one of the requirements.