Possibly linux@lemmy.zip to Sysadmin@lemmy.worldEnglish · 1 年前You have a organizational identity right?lemmy.zipimagemessage-square33fedilinkarrow-up1329
arrow-up1329imageYou have a organizational identity right?lemmy.zipPossibly linux@lemmy.zip to Sysadmin@lemmy.worldEnglish · 1 年前message-square33fedilink
minus-squareSal@lemmy.worldlinkfedilinkEnglisharrow-up29·1 年前If it is for internal only, self signed is a lot easier.
minus-squarenickwitha_k (he/him)@lemmy.sdf.orglinkfedilinkarrow-up10·1 年前So is using “pass” as the password to all of your sensitive systems. Still not best, or even good practice.
minus-squareJWBananas@startrek.websitelinkfedilinkEnglisharrow-up19·1 年前Are you conflating self-signed and untrusted? Self-signed is fine if you have a trusted root deployed across your environment.
minus-squarenickwitha_k (he/him)@lemmy.sdf.orglinkfedilinkarrow-up6·1 年前Correct. If using actual pki with a trusted root and private CA, you’re just fine. I took the statement to mean ad-hoc self-signed certs, signed by the server that they are deployed on. That works for EiT but defeats any MitM protection, etc.
minus-squareKairuByte@lemmy.dbzer0.comlinkfedilinkarrow-up3·1 年前Hard disagree. As long as you have any machine with internet access it’s trivial, even more so if you can use DNS challenge.
minus-squareKSP Atlas@sopuli.xyzlinkfedilinkarrow-up1·1 年前Also probably no sysadmin uses it, but the Gemini protocol requires the use of a self signed cert
If it is for internal only, self signed is a lot easier.
So is using “pass” as the password to all of your sensitive systems. Still not best, or even good practice.
Are you conflating self-signed and untrusted?
Self-signed is fine if you have a trusted root deployed across your environment.
Correct. If using actual pki with a trusted root and private CA, you’re just fine.
I took the statement to mean ad-hoc self-signed certs, signed by the server that they are deployed on. That works for EiT but defeats any MitM protection, etc.
Hard disagree. As long as you have any machine with internet access it’s trivial, even more so if you can use DNS challenge.
Also probably no sysadmin uses it, but the Gemini protocol requires the use of a self signed cert