Comment on Certbot is great. Let's Encrypt is great.
CubitOom@infosec.pub 1 year agoWait till you guys use cert-manager on a kubernetes cluster
Comment on Certbot is great. Let's Encrypt is great.
CubitOom@infosec.pub 1 year agoWait till you guys use cert-manager on a kubernetes cluster
SheeEttin@lemmy.world 1 year ago
Wait until you stand up your own CA and issue certs with multi-year validity so they don’t have to be renewed more often than you rebuild everything anyway
At least until you try to access stuff on a Pixel phone which doesn’t let you install CA certs any more 😞
dauerstaender@feddit.de 1 year ago
Having certificates that are valid for over a year is contra-productive, as when they get in to the wrong hands they might still be valid for a year until they naturally run out of time. The reason LetsEncrypt issues only 90d valid certificates is not to annoy you, but save your ass once someone obtains your certificates.
FrederikNJS@lemm.ee 1 year ago
While shorter lived certs certainly improve the general security, certificate revocation lists are what you need if a cert gets compromised.
dauerstaender@feddit.de 1 year ago
They don’t work in practice, no modern browser actively queries any revocation DBs. It’s just much more efficient to let something expire sooner than keep track of all lost somethings.
dan@upvote.au 1 year ago
Exactly this. The CA/B forum (who make rules about TLS certificates that all the providers follow) are actively trying to reduce certificate validity periods. 2-3 years ago, they reduced the maximum duration for TLS certificates to 13 months. It’s likely they’ll go even lower in the future.
My understanding is that they want the entire industry to move towards a Let’s Encrypt style system where renewal is fully automated and thus there’s minimal overhead to renewing more frequently. We’re not quite there yet.
FrederikNJS@lemm.ee 1 year ago
Wait until you set up cert-manager to issue both Let’s Encrypt certificates, as well as generating your own CA and issuing certs from your own CA where you can set the validity however want.
StefanT@lemmy.world 1 year ago
I had no problem to install my CA on my Pixel (Android 13).
LufyCZ@lemmy.world 1 year ago
I’ve heard something about it changing with A14
SpaceCadet@sopuli.xyz 1 year ago
Is that something new? I can still install CA certs on my Pixel 6. It does give a scary warning, but you can just click through it.
dan@upvote.au 1 year ago
That’s a lot of work just to avoid a renewal process that’s fully automated. Seems counter productive.