Timeline for How did I obtain a wildcard SSL certificate without port 80 opened for a challenge?
Current License: CC BY-SA 4.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 6 at 0:07 | comment | added | 9072997 | @i486 Publicly trusted certificates are limited to 397 days (Google has been pushing to get it lowered to 90 days). Some companies will sell "2 year certificates" or "5 year certificates", but what you are really doing is paying upfront for multiple certificates which will have to be validated and issued separately. | |
| Jul 5 at 22:47 | comment | added | marcelm | @i486 "...then what is usage of free Let's encrypt certificate for real business?" - Normal? | |
| Jul 5 at 8:51 | comment | added | Ja1024 |
@i486: If you think setting up a production-ready PKI is easy, then you clearly haven’t done it yet. Of course it’s easy to generate key pairs with the OpenSSL CLI and use the ca command to create certificates. For testing, this is all perfectly fine. But this question is about actually securing the network traffic, not testing. Maybe you aren’t aware of this, but “private” CAs in the trust store are just as powerful as any other CA – there is no only-for-personal-use flag. So as soon as you use your CA in production, you have the same responsibilities and tasks as a commercial CA.
|
|
| Jul 5 at 8:12 | comment | added | JensV | @i486 the problem isn't really that running a CA is inherently difficult. It's that if you configure your clients to trust your own CA and that CA gets compromised, the attacker can not only MITM your own servers but all TLS traffic you make on the internet (certificate pinning excluded). Then there's also the issue of managing certificate distribution and revocation mechanisms and so on. | |
| Jul 5 at 7:17 | review | Low quality posts | |||
| Jul 5 at 7:58 | |||||
| Jul 5 at 7:16 | comment | added | i486 | @Ja1024 All paid certificates are for 1 or 2 years. There are no such for 3 months. And if own CA is a "toy" then what is usage of free Let's encrypt certificate for real business? You can easily dedicate Raspberry Pi (for example) which only keeps CA / private key, not used for anything else and not connected to internet. Its purpose is to generate new certificates and sign them with CA - then export with USB drive. "enormous amount of knowledge"? I don't recommend to run public CA and sell certificates. Maybe you have to read what is mutual TLS and is it such complex thing. | |
| Jul 5 at 7:07 | comment | added | Ja1024 | There are also good reasons for keeping certificates short-lived: It avoids the problem of revocation (which is often broken), and it more or less forces people to automate their infrastructure instead of getting a certificate once and then letting it rot for years. | |
| Jul 5 at 7:07 | comment | added | Ja1024 | I strongly recommend against this. Running your own public-key infrastructure properly(!) requires an enormous amount of knowledge and work. The CA should also be run on separate hardware, ideally a hardware security module. Yes, anybody can set up a toy CA with the OpenSSL CLI. But if the CA operations are unprotected, this can allow an attacker to compromise the traffic of all services. So, no, a private PKI definitely isn’t a convenient alternative to Let’s Encrypt. | |
| Jul 5 at 6:35 | history | answered | i486 | CC BY-SA 4.0 |