undefined | Better HN

0 pointsthayne1y ago0 comments

My frustration is because using a private CA is more difficult than it should be.

You can't just add the CA to system trust stores on each device, because some applications, notably browsers and java, use their own trust stores, you have to add it to.

You also can't scope the CA to just .internal, which means in a BYOD environment, you have to require your employees to trust you not to sign certs for other domains.

And then there is running the CA itself. Which is more difficult than using let's encrypt.

0 comments

fleminra1y ago

The Name Constraints extension can limit the applicability of a CA cert to certain subdomains or IP addresses.

thayneOP1y ago

How well supported is that?

8organicbits1y ago

It's hard to say, but I'm super interested if anyone has statistics. Netflix built https://bettertls.com/ to answer these sorts of questions, but somehow forgot to validate constraints set at the root: https://github.com/Netflix/bettertls/issues/19

Anecdotally, I've seen name constraints kick in for both Firefox and Chrome on a Linux distro, but I can't comment more broadly.

layer81y ago

It's required by RFC 5280 (and predecessor), so it’s fairly well supported.

2 more replies

j / k navigate · click thread line to collapse