You probably don't need private PKI for internal infrastructure
certkit.io> Rather than issuing individual certificates for every internal host, a wildcard for something like *.int.example.com covers everything under that subdomain.
Congrats now one host is compromised and the certificate for the entirety of your private infrastructure is leaked.
This post is really amateur-level it security.
OP Here.
What you fail to grasp is that there are multiple sizes of IT organizations on this planet. The vast majority of them have less than 10 total admins. For them, they could not build and maintain an internal PKI thats as secure or as reliable as Public PKI.
Expecting them to do so is giving up. They will just use self-signed certs and blindly click through warnings.
Having a real certificate that warns when something is wrong is always better than perfect security. When you've worked at more than 1 kind of organization, you get a broader perspective.
> What you fail to grasp is that there are multiple sizes of IT organizations on this planet. The vast majority of them have less than 10 total admins.
Nah, i grasp that very well because i was part of a three-people team that did manage, across other things, a private CA.
After evaluating a few options we decided to Vault from hashicorp to manage our own CA. We scripted the shit out of it and it worked beautifully for years with little to no maintenance. It was an unicorn company (1+ billion euros valuation) and there were multiple kubernetes clusters, around 120 people in the tech team and a multitude of microservices.
Frankly i think it's you that fail to grasp the reality of operating a private CA in a company that does other things rather than managing private CAs.
If you grasped that, you'd know that for example you cannot use (for example) letsencrypt certificate for client authentication anymore, or mutual tls, and you couldn't do that at all with a wildcard certificate.
With a private CA you can do whatever you need and whatever you want.
If you had worked in a real company doing that you would understand.
> When you've worked at more than 1 kind of organization, you get a broader perspective.
That's just a skeaky and mean way to attack me on a personal level, rather than attacking my point.
frankly your post shows a lot of insecurity and your complete ignorance on the reality of operating a private CA, if I were you I'd stop posting out of pure shame.