this post was submitted on 02 Oct 2023
309 points (93.8% liked)

Sysadmin

10719 readers
4 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
309
You have a organizational identity right? (lemmy.zip)
submitted 2 years ago by [email protected] to c/[email protected]
31 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] KairuByte 56 points 2 years ago* (last edited 2 years ago) (4 children)

Why would anyone ever use self signed certs? Buy a cheap ass domain, and use LetsEncrypt to get a free cert.

[–] [email protected] 29 points 2 years ago (3 children)

If it is for internal only, self signed is a lot easier.

[–] [email protected] 1 points 2 years ago

Also probably no sysadmin uses it, but the Gemini protocol requires the use of a self signed cert

[–] KairuByte -3 points 2 years ago (1 children)

Hard disagree. As long as you have any machine with internet access it’s trivial, even more so if you can use DNS challenge.

[–] [email protected] 3 points 2 years ago* (last edited 2 years ago)

You're absolutely correct. For self hosting at home I use cloudflare for DNS challenges.

Caddy is also amazing at making things even simpler.

[–] [email protected] -5 points 2 years ago (1 children)

So is using "pass" as the password to all of your sensitive systems. Still not best, or even good practice.

[–] [email protected] 18 points 2 years ago (1 children)

Are you conflating self-signed and untrusted?

Self-signed is fine if you have a trusted root deployed across your environment.

[–] [email protected] 4 points 2 years ago

Correct. If using actual pki with a trusted root and private CA, you're just fine.

I took the statement to mean ad-hoc self-signed certs, signed by the server that they are deployed on. That works for EiT but defeats any MitM protection, etc.

[–] [email protected] 6 points 2 years ago (2 children)

Mtls across a large number of machines. I run my own CA and intermediates on hashicorp vault.

For end user services, yes LE.

[–] KairuByte 5 points 2 years ago

At the point of running your own CA with infrastructure in place to support it, I wouldn’t really call that “self signing.”

I get that it technically is, since you’re not going through an external CA, but really it’s like calling a companies Datacenter “self hosted” because it’s on their own hardware. Technically the truth, but not what is generally meant. 😜

[–] [email protected] 1 points 2 years ago (1 children)

What's LE?

[–] [email protected] 1 points 2 years ago

Let's encrypt