2y ago

You have a organizational identity right?

33 comments

Why would anyone ever use self signed certs? Buy a cheap ass domain, and use LetsEncrypt to get a free cert.
- If it is for internal only, self signed is a lot easier.
  
  So is using "pass" as the password to all of your sensitive systems. Still not best, or even good practice.
  
  Hard disagree. As long as you have any machine with internet access it’s trivial, even more so if you can use DNS challenge.
  
  Also probably no sysadmin uses it, but the Gemini protocol requires the use of a self signed cert
- I use self signed certs for thinclient authentication. Generate self signed cert, load into AWS workspaces, sign device certs with root, and only machines that have the cert installed and pass the username password prompt will get through the AWS service broker. I can't see how using a CA signed cert helps me in any meaningful way. If I lose trust in the cert, I revoke it myself from the service.
  
  Use of a CA (private CA would be my thought in this case) gives you greater ability to manage certs without needing to manually revoke and the ability to verify authenticity. You're already doing most of the work to run a private CA, TBH. Just, instead of signing from the machine, you add your private CA's intermediate cert to the trusted CAs on your hosts, and generate CSRs on your new hosts for your CA to sign.
  Signing from the machine that uses a cert gives it greater authority and increases the "blast radius" if it gets compromised.
- Mtls across a large number of machines. I run my own CA and intermediates on hashicorp vault.
  For end user services, yes LE.
  
  At the point of running your own CA with infrastructure in place to support it, I wouldn’t really call that “self signing.”
  I get that it technically is, since you’re not going through an external CA, but really it’s like calling a companies Datacenter “self hosted” because it’s on their own hardware. Technically the truth, but not what is generally meant. 😜
  
  What's LE?
- Self signed certs are more secure. You don't have to trust the whole CA chain
Not pictured: Using a CA to properly administer certs because self-signed certs are not secure.
- They're more secure than CA certs
  
  Could you explain your statement further?
- How are they not secure? You are still doing TLS to the service, maybe they have weak keys but it is still a form of secure connection.
  
  Certs do more than encryption in transit. They are also used for protection against MitM and authentication. Self-signing removes the ability to verify a cert's authenticity.
cert-manager is the first thing I install on every kubernetes cluster I make

33 comments