Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cryptonym 4 days ago

You now have to build and self-shot a complete CA/PKI.

Or request a certificate over the public internet, for an internal service. Your hostname must be exposed to the web and will be publicly visible in transparency reports.

mox1 4 days ago | parent | next [-]

Companies have software to manage this for you. We utilize https://www.cyberark.com/products/machine-identity-security/

stackskipton 4 days ago | parent | prev | next [-]

You could always ask for wildcard for internal subdomain and use that instead so you will leak your internal FQDN but not individual hosts.

pixl97 4 days ago | parent [-]

I'm pretty sure every bank will auto fail wildcard certs these days, at least the ones I've worked with.

Key loss on one of those is like a takeover of an entire chunk of hostnames. Really opens you up.

JoshTriplett 3 days ago | parent | prev [-]

> Or request a certificate over the public internet, for an internal service. Your hostname must be exposed to the web and will be publicly visible in transparency reports.

That doesn't seem like the end of the world. It means you shouldn't have `secret-plans-for-world-takeover.example.com`, but it's already the case that secret projects should use opaque codenames. Most internal domain names would not actually leak any information of value.