undefined | Better HN

0 pointstoomuchtodo10y ago0 comments

True! But wildcards make cert management so much easier. If I have a handful of subdomains, that's fine. If I have thousands, I want a wildcard cert.

0 comments

vetrom10y ago

Arguably though wildcard certs are a bad hack on security, as it binds multiple distinct endpoints to a given keypair.

Given the occasional implementation weakness, and key recoveries, I would much rather bind only one key to a name.

chipperyman57310y ago

It would be relatively easy to write a simple bash script to automate it. Granted, it might take a bit of time to generate a few thousand certs, but it wouldn't take more than a day if you only have a thousand or so.

dingaling10y ago

It's not just creating the certs that is the challenge but also managing them; back-up, revocation, re-testing after expiry and across different development environments etc

And from the client perspective is makes pinning much easier.

I'm not a fan of one-wildcard-to-rule-them either but keeping active certs to a handful through the judicious use of wildcards is a real boon.

Natanael_L10y ago

If you use the Cloudflare style delegation of SSL authentication signing to a trusted auth server, it can be simplified. The individual servers only holds the public cert and a private internal secret, one server holds your certificate private keys.

That server would be used to keep track of your domains and certificate status and which servers are authorized to work with which domains, etc... Also easier to backup.

j / k navigate · click thread line to collapse