The nature of PKI is that it requires a third party between the trusted
party (e.g., server) and the trusting party (e.g., client).
> I've never seen how using your own CA was practical or secure.
Please don't take this as argumentative. I recognize your points and
agree. Those who DO run their own CA consider those things as part of
the cost and they accept that as a cost of doing business.
Military, government, and even many large institutions or enterprises
commonly run their own CA if only to get away from the third party
aspect of PKI. YES, they then have the deployment burden. YES, all
players then must trust the internal CA. (And there are many who
DIStrust external CAs. Again, not meaning to argue, just observing.)
It's all about trust.
-- R; <><
On 11/17/25 5:18 PM, Andrew Rowley wrote:
On 18/11/2025 1:54 am, Peter Sylvester wrote:
I know about a large company that has a large multinational
"intranet" with MANY server with special server to server an internal
only admin usages. they could/should have used their own CAs etc. but
just having each "site" buy from one of the commercial players was
"easier", well ...
I've never seen how using your own CA was practical or secure.
You have to add the CA to every certificate store on every device.
(Does every docker container have it's own certificate store?
Probably!) Otherwise you have failures with random devices, and/or
train people to ignore the certificate validation messages.
Then whoever controls your CA can in theory MITM any connection from
these devices, internal or external (except for pinned certificates etc.)
Let's Encrypt avoids the problems. You can create certificates for
whichever devices/services you need, and the validation is already
there (except for z/OS!!) - which is the point of the whole
certificate authority infrastructure.
I'm sure Let's Encrypt is far more secure than creating your own CA.
--
-- R; <><
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
