On 18/11/2025 1:54 am, Peter Sylvester wrote:
I know about a large company that has a large multinational "intranet"
with MANY server with special server to server an internal only admin
usages. they could/should have used their own CAs etc. but just having
each "site" buy from one of the commercial players was "easier", well ...
I've never seen how using your own CA was practical or secure.
You have to add the CA to every certificate store on every device. (Does
every docker container have it's own certificate store? Probably!)
Otherwise you have failures with random devices, and/or train people to
ignore the certificate validation messages.
Then whoever controls your CA can in theory MITM any connection from
these devices, internal or external (except for pinned certificates etc.)
Let's Encrypt avoids the problems. You can create certificates for
whichever devices/services you need, and the validation is already there
(except for z/OS!!) - which is the point of the whole certificate
authority infrastructure.
I'm sure Let's Encrypt is far more secure than creating your own CA.
--
Andrew Rowley
Black Hill Software
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
