On Sat, May 17, 2025, 18:23 Colin Constable via NANOG <[email protected]> wrote:
> Is anyone elae worried about this? We use public certs for client auth in a > number of cases. > > https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ <https://lists.nanog.org/archives/list/[email protected]/message/VRKIO6IUCJRLENL7FOHWWQV6UXAS3XGK/> We just maintain our own internal PKI/trust anchor at $org for mTLS. There's numerous solutions[0] that have evolved that are a fair bit more robust than `openssl(1)` glued together with bash scripts these days. Running your own PKI with a (or multiple) org-internal CA(s) not only lets you control the KU/EKU etc. of the certs themselves but lets you scope access to anything signed by a given issuer- no futzing with static CN/Subj lists or pattern matching, IP SANs totally fine, not subject to externally-influenced poli(cy|tics), etc. For public-facing it's of course a little higher barrier of entry, but for intra/infra/internal? Cannot be beat, highly recommend. [0] Personal recommendation, https://developer.hashicorp.com/vault/docs/secrets/pki or https://openbao.org/docs/secrets/pki/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/534JOGJHLGF4AOLRK5AWTFH7CI2NCTCE/
