nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: brent saner via NANOG <nanog () lists nanog org>
Date: Sat, 17 May 2025 19:02:19 -0500
On Sat, May 17, 2025, 18:23 Colin Constable via NANOG <nanog () lists nanog org>
wrote:


Is anyone elae worried about this? We use public certs for client auth in a
number of cases.

 https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/


<https://lists.nanog.org/archives/list/nanog () lists nanog org/message/VRKIO6IUCJRLENL7FOHWWQV6UXAS3XGK/>


We just maintain our own internal PKI/trust anchor at $org for mTLS.

There's numerous solutions[0] that have evolved that are a fair bit more
robust than `openssl(1)` glued together with bash scripts these days.

Running your own PKI with a (or multiple) org-internal CA(s) not only lets
you control the KU/EKU etc. of the certs themselves but lets you scope
access to anything signed by a given issuer- no futzing with static CN/Subj
lists or pattern matching, IP SANs totally fine, not subject to
externally-influenced poli(cy|tics), etc.

For public-facing it's of course a little higher barrier of entry, but for
intra/infra/internal? Cannot be beat, highly recommend.


[0] Personal recommendation,
https://developer.hashicorp.com/vault/docs/secrets/pki or
https://openbao.org/docs/secrets/pki/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/534JOGJHLGF4AOLRK5AWTFH7CI2NCTCE/
Previous By Date Next
Previous By Thread Next

Current thread: