On Fri, May 23, 2025, 21:14 Grant Taylor via NANOG <[email protected]> wrote:
> (SNIP) > > If you have multiple servers on the Internet that MUST use a public CA > for various unassociated clients to trust the certificate and you want > to leverage a certificate for communications between the two servers, > then Occam's Razor / Parsimony would state that you use the simpler / > one solution. > > Solution 1 is to have and re-use the existing certificates that you must > have from a single public CA. > Mixing public and private communication under a single resource is poor practice. Using a public CA as a trust authority for private resources using mTLS auth offers no segregation nor least-access and relies wholly on individual identity checking. Better hope you didn't typo that regex! > Solution 2 is to have and use two separate certificate & key pairs, each > from a different CA, one public and the other private. > Technically they *can* have the same private key... the CA just signs a CSR generated by a key. BUT that aside, this is the objectively correct approach. Under no circumstance should one use a public CA for verifying client certificates. Occam's Razor is for explaining phenomena. Taking the simplest approach for *security design* with no regard for ramifications has a different term applied: "lazy"[0]. [0] Or "low-hanging fruit", depending on if you're blue or red I suppose. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/PZYPTYT3NJCYP6OPOL7UGY75WCCZZBGT/
