Skip to main content

I am amazed that Let's Encrypt has been around for 10 years.

I have used it for many years, but certainly not 10.

I still want to find time to deploy my own CA, but for most external-facing things, I just use Let's Encrypt, and I'm very pleased to be able to do so.

in reply to Neil Brown

Rob Carlson
Rob Carlson
With DNS-based auth you can use it for internal hosts as well.
in reply to Neil Brown

Hugo Mills
Hugo Mills

I, too, use Let's Encrypt.

And some day, I'd like to get back all the time that I used to spend generating my own CA, before LE came on the scene.

in reply to Neil Brown

James Wells
James Wells
Don't know if they still have it, but years ago, cacert.org had some really good documentation on their website to create a mostly automagic CA certificate signing authority similar to theirs.
cacert.org

Welcome to CAcert.org

cacert.org
in reply to Neil Brown

Amber
Amber
what CA are you wanting to deploy? I've been interested in dogtagpki.org/

Overview — Dogtag PKI documentation

www.dogtagpki.org
in reply to Amber

Neil Brown
Neil Brown
@puppygirlhornypost2 Ooh, interesting! I didn't have anything specific in mind as I haven't really got into the project yet!
@Amber
in reply to Neil Brown

JamesB
JamesB
I'm amazed it's only been ten years. It feels a lot longer.
in reply to Neil Brown

Dustin Rue
Dustin Rue
wait, it has ONLY been 10 years? I feel like it has been around longer but I suppose that is correct. I love it and use it extensively.
in reply to Neil Brown

Shiri Bailem
Shiri Bailem
@Neil Brown I just wish there was was a way to do your own CA and limit it to a single domain... I'd love to just have https on the internal domain but not be opening a security risk of that CA being used against other sites.
@Neil Brown
in reply to Shiri Bailem

Neil Brown
Neil Brown
@shiri Interesting! Yes, that would be a further mitigation against loss of control of the private key, I guess?
@Shiri Bailem
in reply to Neil Brown

Shiri Bailem
Shiri Bailem
@Neil Brown precisely, it's one of many things I'd love to see implemented in current standards... a restricted ca that explicitly limits how it can be applied. (it's right up there with me thinking there should be a static encryption standard as a companion to https)
@Neil Brown
in reply to Shiri Bailem

Jonathan McDowell
Jonathan McDowell
The phrase you're looking for is "Name Constraints", aka RFC5280. Lets you limit the CA to a single domain and subdomains under it.
in reply to Neil Brown

silverwizard
silverwizard
@Neil Brown I constantly feel like LE was vandalism against the security of the internet. Just keeping the incredibly dangerous and bad CA system around on life support and removing all the energy that had been built by the Verisign hack to replace it.
@Neil Brown
in reply to silverwizard

Neil Brown
Neil Brown

@silverwizard within the framework of the current approach, LE turned money for old rope into an easy to deploy, automatable, free convenience, IMHO.

Would it be ideal to change the system? Yes!

@silverwizard
in reply to Neil Brown

silverwizard
silverwizard
@Neil Brown Yeah, saved the dying system, but I just can't considered it good, and am constantly surprised others do. (I'm not trying to tell you to hate it, but ya know, strong opinions, internet)
@Neil Brown
in reply to silverwizard

Shiri Bailem
Shiri Bailem

@silverwizard @Neil Brown has anyone actually established a better system really?

Not going to argue that LE doesn't have it's problems, or even just the underlying SSL system in general.

LE thanks to ease and being free without much "competition" it has the crucial problem of hosting far too high a proportion of the the certs for the whole internet.

SSL in general has the problem of CAs getting hacked and issuing fraudulent certs.

Only improvement I can think of in that security at all is maybe double-certified certificates? (require you to go through two wholly separate providers with the same key to have a valid key and requiring both to sign for any updates to go through and maybe a certificate chain for whenever it changes hands)

Beyond that it's always a cludge, people aren't going to check them themselves, they're not going to manage certificates themselves... so you just have a preauthed group of keys installed in your system, trust them to be above board, and then trust the providers of those keys to be above board. Honestly shocked we haven't had more issues, but that's kinda how security goes.

@Neil Brown @silverwizard
in reply to silverwizard

Shiri Bailem
Shiri Bailem
@silverwizard @Neil Brown nah, just "DANE" is kinda also a word and most people are still using google to search so lord knows where they end up
@Neil Brown @silverwizard
in reply to Neil Brown

Jima
Jima
Having run an internal enterprise CA before (and having replaced an existing one!), I have no particular desire to run a CA again. 😉
in reply to Jima

Neil Brown
Neil Brown

@jima

Neil-scale and enterprise-scale are very different beasts :)

@Jima
in reply to Neil Brown

Jima
Jima
Yes, but some of the aspects of enterprise-scale CAs do make things easier. 😂
in reply to Neil Brown

Roger Lipscombe
Roger Lipscombe

there's nothing particularly technically complicated about deploying your own CA.

Here's mine: github.com/rlipscombe/elixir-c… (because OpenSSL has terrible UX).

The complicated bits are keeping the private keys safe, auto-renewal, deploying the root certs to your various devices, etc.

But if you want _other_ people to access your servers, you're pretty much restricted to Let's Encrypt (or spending money), because they're not gonna install random root certs.


GitHub - rlipscombe/elixir-certs: Certificate Authority, in Elixir, using 'x509' library

Certificate Authority, in Elixir, using 'x509' library - rlipscombe/elixir-certs
GitHub
in reply to Roger Lipscombe

Neil Brown
Neil Brown

@rogerlipscombe

there's nothing particularly technically complicated about deploying your own CA


No, indeed. I've done it before, and just need to find the time to set it up again, secure it, and perhaps automate distribution.

(Yes, only for me accessing my own stuff!)

@Roger Lipscombe