Comment by cortesoft
12 hours ago
Just a few months ago my company was going through some transitions and wanted to get some certs to cover us while we migrated to a different stack with let's encrypt and automated cert renewals.
We had some legacy systems on our network that needed certs and had various subdomains that prevented us from just having a wildcard cert. It ended up that we needed a few dozen subdomains with wildcard certs for each, and it was all for internal traffic between them.
The company we were using wanted to charge us $30,000 for a one year cert with that many wildcards.
We said fuck that, created our own CA, generated a big wildcard cert, and then installed the CA on the few thousand servers as a trusted root. A few months later and we are just using let's encrypt for everything, for free.
I can't believe there is a market for $30,000 certs anymore. We were just shocked that that was deemed a reasonable price to charge us.
I think the best analogy for this are scams. Once a scammer finds a mark they'll pay, there's a desire to soak them for as much as they'll bear.
EVs are not a scam per-se, but they also don't add any value. 80% of the world already figured that out, do by definition if you are asking you are in the bottom 20%.
Now I get you were in the process of migration, but that's an edge case. In a normal case if you go around asking to buy a wildcard EV, you basically have a sign saying "fleece me".
So yeah, there's still a market for people wanting to throw money at CAs, even in these comments you'll see some. And management types are especially prone to "sounds expensive, must be good" logic when spending other people's money.
I think you've left out the ecosystem of semi-scam, without that the decisions look less logical.. If you go and add a private rootCA to all your servers there are risks. You can convince yourself the risks are covered, you can convince a highly qualified security analyst. Can you convince a business intern with a checklist hired by a certification firm that underbid the one with specialists? 30K to engage with no one on the topic starts to look ideal.
I'm not sure the alternative is sef-created RootCA. (But perhaps I don't understand the underlying case.)
To me, the alternative is just a LE cert. Can do wildcards via DNS challenge.