undefined | Better HN

0 pointsdingaling10y ago0 comments

It's not just creating the certs that is the challenge but also managing them; back-up, revocation, re-testing after expiry and across different development environments etc

And from the client perspective is makes pinning much easier.

I'm not a fan of one-wildcard-to-rule-them either but keeping active certs to a handful through the judicious use of wildcards is a real boon.

0 comments

Natanael_L10y ago

If you use the Cloudflare style delegation of SSL authentication signing to a trusted auth server, it can be simplified. The individual servers only holds the public cert and a private internal secret, one server holds your certificate private keys.

That server would be used to keep track of your domains and certificate status and which servers are authorized to work with which domains, etc... Also easier to backup.

j / k navigate · click thread line to collapse

0 pointsdingaling10y ago0 comments

It's not just creating the certs that is the challenge but also managing them; back-up, revocation, re-testing after expiry and across different development environments etc

And from the client perspective is makes pinning much easier.

I'm not a fan of one-wildcard-to-rule-them either but keeping active certs to a handful through the judicious use of wildcards is a real boon.

0 comments

Natanael_L10y ago

That server would be used to keep track of your domains and certificate status and which servers are authorized to work with which domains, etc... Also easier to backup.

j / k navigate · click thread line to collapse