alt Hacker NewsI don't see why people don't just run their own CAs more for private stuff.
If exposed for others I think the wildcard cert is also what I did, but most tutorials have you issuing certs via ACME for internal or local-only things which doesn't even need to happen.
I personally run my own CA and even setup an ACME server and internal DNS. Nobody knows what I am doing there.
Replies
maccard • last Sunday at 10:10 AM
For me, the value proposition isn’t there. I can get a wildcard domain signed from let’s encrypt and it works out of the box on every device, and you don’t have to deal with the fact that some/many appps will ignore your OS certificate rules.
It was common to set up your own CA at one point, especially when DNS management was more manual, However it presented a huge attack surface and was challenging to manage.
A compromised private CA can lead to widespread breaches, affecting various systems and applications that rely on its certificates.
The CAB forum working groups being explicitly prohibited from working on private networks (at least historically) and market incentives also produced a situation where you can't really reduce the blast radius.
ECS1 attacks on AD CS is probably the best publicly documented case for further research.
The happy path is often manageable, but still complex, bland any mistake will result in huge risks.