On 28/06/2023 12:14 pm, Quanah Gibson-Mount wrote:
We use a public CA for the TLS sessions, and a private CA for
SASL/EXTERNAL. We run our own PKI on the AD side of things too. Using
a public CA for client certs seems very odd to me.
We also use a mix of Public-Purchased, Public-Free and Private certs.
The LDAP clients are a handful of machines with normal machine certs
that are public-free certs for various reasons. These are short-dated
certs that get updated frequently and automatically. With all that
machinery in place, it seems crazy to introduce yet another CA into the
mix. Running the proxy is not that big a deal.
I think, as the use of Public-free CA's catches on, and people realize
that these certs can be used on private networks, this use case will
only grow.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
