2 comments

[ 2.7 ms ] story [ 21.0 ms ] thread
> Rather than issuing individual certificates for every internal host, a wildcard for something like *.int.example.com covers everything under that subdomain.

Congrats now one host is compromised and the certificate for the entirety of your private infrastructure is leaked.

This post is really amateur-level it security.

OP Here.

What you fail to grasp is that there are multiple sizes of IT organizations on this planet. The vast majority of them have less than 10 total admins. For them, they could not build and maintain an internal PKI thats as secure or as reliable as Public PKI.

Expecting them to do so is giving up. They will just use self-signed certs and blindly click through warnings.

Having a real certificate that warns when something is wrong is always better than perfect security. When you've worked at more than 1 kind of organization, you get a broader perspective.