Hacker Neue

Preferences
pixl97 parent
Heh, working with a number of large companies I've seen most of them moving to internally signed certs on everything because of ever shortening expiration times. They'll have public certs on edge devices/load balancers but internal services with have internal CA signed certs with long expire times because of the number of crappy apps that make using certs a pain in the ass.
plorkyeran
This is a desired outcome. The WebPKI ecosystem would really like it if everyone stopped depending on them for internal things because it's actually a pretty different set of requirements. Long-lived certs with an internal CA makes a lot of sense and is often more secure than using a public CA.
tetha
Our internally provided certs of various CAs have a TTL of 72 hours and should be renewed every 48 hours.

It's been a huge pain as we have encountered a ton of bugs and missing features in libraries and applications to reload certs like this. And we have some really ugly workarounds in place, because some applications place a "reload a consul client" on the same level of "reload all config, including opening new sockets, adjusting socket parameters, doing TCP connection handover" - all to rebuild a stateless client throwing a few parameters at a standard http client. But oh well.

But I refuse to back down. Reload your certs and your secrets. If we encounter a situation in which we have to mass-revoke and mass-reissue internal certs, it'll be easy for those who do. I don't have time for everyone else.

donnachangstein
> Our internally provided certs of various CAs have a TTL of 72 hours and should be renewed every 48 hours.

Do you promise to come back and tell us the story about when someone went on vacation and the certs issued on a Thursday didn't renew over the weekend and come Monday everything broke and no one could authenticate or get into the building?

kam
At least that sounds like it would be a more interesting story than the one where the person who quit a year ago didn't document all the places they manually installed the 2-year certificate.
tetha
I will. We've been betting Postgres connectivity for a few hundred applications on this over the past three years. If this fucks up, it'll be known without me.
donnachangstein
I'm curious what requirement drove you to such arbitrarily small TTL, other than "because we can" dick-measuring geekery.

I applaud you for sticking to your guns though.

tetha
At the end of the day, we were worried about exactly these issues - if an application has to reload certs once every 2 years, it will always end up a mess.

And the conventional wisdom for application management and deployments is - if it's painful, do it more. Like this, applications in the container infrastructure are forced to get certificate deployment and reloading right on day 1.

And yes, some older application that were migrated to the infrastructure went ahead and loaded their credentials and certificates for other dependencies into their database or something like that and then ended up confused when this didn't work at all. Now it's fixed.

wbl
Why would the cert renewal be manual?
alexchamberlain
That's how it used to be done. Buy a certificate with a 2 year expiry and manually install it on your server (you only had 1; it was fine).
progmetaldev
I can tell you that there are still quite a few of us out here that are doing the once a year manual renewal. I have suggested a plan to use Let's Encrypt with automated renewal, but for some companies, they are using old technology and/or old processes that "seniors" are comfortable with since they understand them and suggesting a better process isn't always looked favorably upon (especially if your job relies on the manual renewal process as one of those cryptic things only IT can do).
tptacek
Some of this rhymes with Colm MacCárthaigh's case against mTLS.

https://www.hackerneue.com/item?id=25380301

OptionOfT
This has been our issue too. We've had mandates for rotating OAuth secrets (client ID & client secret).

Except there are no APIs to rotate those. The infrastructure doesn't exist yet.

And refreshing those automatically does not validate ownership, unlike certificates where you can do a DNS check or an HTTP check.

Microsoft has some technology that next to these tokens they also have a per-machine certificate that is used to sign requests, and those certificates can't leave the machine.

parliament32
We've also felt the pain for OAuth secrets. Current mandates for us are 6 months.

Because we run on Azure / AKS, switching to federated credentials ("workload identities") with the app registrations made most of the pain go away because MS manages all the rotations (3 months) etc. If you're on managed AKS the OIDC issuer side is also automagic. And it's free. I think GCP offers something similar.

https://learn.microsoft.com/en-us/entra/workload-id/workload...

rlpb
Browsers don't design for internal use though. They insist on HTTPS for various things that are intranet only, such as some browser APIs, PWAs, etc
akerl_
As is already described by the comment thread we're replying in, "internal use" and "HTTPS" are very compatible. Corporations can run an internal CA, sign whatever internal certs they want, and trust that CA on their devices.
franga2000
You use the term "internal use" and "corporations" like they're interchangable, but that's definitely not the case. Lots of small businesses, other organizations or even individuals want to have some internal services and having to "set up" a CA and add the certs to all client devices just to access some app on the local network is absurd!
akerl_
The average small business in 2025 is not running custom on-premise infrastructure to solve their problems. Small businesses are paying vendors to provide services, sometimes in the form of on-premise appliances but more often in the form of SaaS offerings. And I'm happy to have the CAB push those vendors to improve their TLS support via efforts like this.

Individuals are in the same boat: if you're running your own custom services at your house, you've self-identified as being in the amazingly small fraction of the population with both the technical literacy and desire to do so. Either set up LetsEncrypt or run your own ACME service; the CAB is making clear here and in prior changes that they're not letting the 1% hold back the security bar for everybody else.

JimBlackwood
I don't think it's absurd and personally it feels easier to setup an internal CA than some of the alternatives.

In the hackiest of setups, it's a few commands to generate a CA and issue a wildcard certificate for everything. Then a single line in the bootstrap script or documentation for new devices to trust the CA and you're done.

Going a few steps further, setting up something like Hashicorp Vault is not hard and regardless of org size; you need to do secret distribution somehow.

14 More Comments →
acedTrex
Sounds like there is a market for a browser that is intranet only and doesnt do various checks
2 More Comments →
jillyboel
Getting my parents to add a CA to their android, iphone, windows laptop and macbook just so they can use my self hosted nextcloud sounds like an absolute nightmare.

The nightmare only intensifies for small businesses that allow their users to bring their own devices (yes, yes, sacrilege but that is how small businesses operate).

Not everything is a massive enterprise with an army of IT support personnel.

crote
Rolling out LetsEncrypt for a self-hosted Nextcloud instance is absolutely trivial. There are many reasons corporations might want to roll their own internal CA, but simple homelab scenarios like these couldn't be further from them.
5 More Comments →
mysteria
I actually do this for my homelab setup. Everyone basically gets the local CA installed for internal services as well as a client cert for RADIUS EAP-TLS and VPN authentication. Different devices are automatically routed to the correct VLAN and the initial onboarding doesn't take that long if you're used to the setup. Guests are issued a MSCHAP username and password for simplicity's sake.

For internal web services I could use just Let's Encrypt but I need to deploy the client certs anyways for network access and I might as well just use my internal cert for everything.

2 More Comments →
richardwhiuk
Why are your parents on a corporations internal network?
3 More Comments →
stefan_
Do I add the root CA of my router manufacturer so I can visit its web interface on my internal network without having half the page functionality broken because of overbearing browser manufacturers who operate the "web PKI" as a cartel? This nowadays includes things such as basic file downloads.
ClumsyPilot
> Corporations can run an internal CA

Having just implemented an internal CA, I can assure you, most corporations can’t just run an internal CA. Some struggle to update containers and tie their shoe laces.

lxgr
Yeah, but essentially every home user can only do so after jumping through extremely onerous hoops (many of which also decrease their security when browsing the public web).

I’ve done it in the past, and it was so painful, I just bit the bullet and started accessing everything under public hostnames so that I can get auto-issued Letsencrypt certificates.

rlpb
Indeed they are compatible. However HTTPS is often unnecessary, particularly in a smaller organisation, but browsers mandate significant unnecessary complexity there. In that sense, brwosers are not suited to this use in those scenarios.
freeopinion
If only browsers could understand something besides HTTPS. Somebody should invent something called HTTP that is like HTTPS without certificates.
3 More Comments →
tedivm
I really don't see many scenarios where HTTPS isn't needed for at least some internal services.
8 More Comments →
therealpygon
And it is even more trivial in a small organization to install a Trusted Root for internally signed certificates on their handful of machines. Laziness isn’t a browser issue.
2 More Comments →
Spooky23
Desired by who?

There’s nothing stopping Apple and Google from issuing themselves certificates every 10 minutes. I get no value for doing this. Building out or expanding my own PKI for my company or setting up the infrastructure to integrate with Digicert or whomever gets me zero security and business value, just cost and toil.

Revocation is most often an issue when CAs fuck up. So now we collectively need to pay to cover their rears.

crote
CAs fucking up every once in a while is inevitable. It is impossible to write guaranteed bug-free software or train guaranteed flawless humans.

The big question is what happens when (not "if") that happens. Companies have repeatedly shown that they are unable to rotate certs in time, to the point of even suing CAs to avoid revocation. They've been asked nicely to get their shit together, and it hasn't happened. Shortening cert lifetime to force automation is the inevitable next step.

Spooky23
Silly me, I’m just a customer, incapable of making my own risk assessments or prioritizing my business processes.

You’re portraying people suing CAs to get injunctions to avoid outages as clueless or irresponsible. The fact is Digicert’s actions, dictated by this CA/Browser forum were draconian and over the top responses to a minor risk. This industry trade group is out of control.

End of the day, we’re just pushing risk around. Running a quality internal PKI is difficult.

christina97
What do you mean “WebPKI … would like”. The browser vendors want one thing (secure, ubiquitous, etc), the CAs want a very different thing (expensive, confusing, etc)…
ozim
Problem is browsers will most likely follow the enforcement of short certificates so internal sites will be affected as well.

Non browser things usually don’t care even if cert is expired or trusted.

So I expect people still to use WebPKI for internal sites.

akerl_
The browser policies are set by the same entities doing the CAB voting, and basically every prior change around WebPKI has only been enforced by browsers for CAs in the browser root trust stores. Which is exactly what's defined in this CAB vote as well.

Why would browsers "most likely" enforce this change for internal CAs as well?

ryao
Why would they? The old certificates will expire and the new ones will have short lifespans. Web browsers do not need to do anything.

That said, it would be really nice if they supported DANE so that websites do not need CAs.

nickf
'Most likely' - with the exception of Apple enforcing 825-day maximum for private/internal CAs, this change isn't going to affect those internal certificates.
jiggawatts
I just got a flashback to trying to automate the certificate issuance process for some ESRI ArcGIS product that used an RPC configuration API over HTTPS to change the certificate.

So yes, you had to first ignore the invalid self-signed certificate while using HTTPS with a client tool that really, really didn't want to ignore the validity issue, then upload a valid certificate, restart the service... which would terminate the HTTPS connection with an error breaking your script in a different not-fun way, and then reconnect... at some unspecified time later to continue the configuration.

Fun times...

rsstack
> I've seen most of them moving to internally signed certs

Isn't this a good default? No network access, no need for a public certificate, no need for a certificate that might be mistakenly trusted by a public (non-malicious) device, no need for a public log for the issued certificate.

pavon
Yes, but it is a lot more work to run an internal CA and distribute that CA cert to all the corporate clients. In the past getting a public wildcard cert was the path of least resistance for internal sites - no network access needed, and you aren't leaking much info into the public log. That is changing now, and like you said it is probably a change for the better.
pkaye
What about something like step-ca? I got the free version working easily on my home network.

https://smallstep.com/docs/step-ca/

simiones
Not everything that's easy to do on a home network is easy to do on a corporate network. The biggest problem with corporate CAs is how to emit new certificates for a new device in a secure way, a problem which simply doesn't exist on a home network where you have one or at most a handful of people needing new certs to be emitted.
bravetraveler
> A lot more work

'ipa-client-install' for those so motivated. Certificates are literally one among many things part of your domain services.

If you're at the scale past what IPA/your domain can manage, well, c'est la vie.

Spivak
I think you're being generous if you think the average "cloud native" company is joining their servers to a domain at all. They've certainly fallen out of fashion in favor of the servers being dumb and user access being mediated by an outside system.
bravetraveler
Why not? The actual clouds do.

I think folks are being facetious wanting more for 'free'. The solutions have been available for literal decades, I was deliberate in my choice.

Not the average, certainly the majority where I've worked. There are at least two well-known Clouds that enroll their hypervisors to a domain. I'll let you guess which.

My point is, the difficulty is chosen... and 'No choice is a choice'. I don't care which, that's not my concern. The domain is one of those external things you can choose. Not just some VC toy. I won't stop you.

The devices are already managed; you've deployed them to your fleet.

No need to be so generous to their feigned incompetence. Want an internal CA? Managing that's the price. Good news: they buy!

Don't complain to me about 'your' choices. Self-selected problem if I've heard one.

Aside from all of this, if your org is being hung up on enrollment... I'm not sure you're ready for key management. Or the other work being a CA actually requires.

Yes, it's more work. Such is life and adding requirements. Trends - again, for decades - show organizations are generally able to manage with something.

Literal Clouds do this, why can't 'you'?

2 More Comments →
maccard
I’ve unfortunately seen the opposite - internal apps are now back to being deployed over VPN and HTTP
tomjen3
I would love to do that for my homelab, but not all docker containers trust root certs from the system so getting it right would have been a bigger challenge than dns hacking to get a valid certificate for something that can’t be accessed from outside the network.

I am not willing to give credentials to alter my dns to a program. A security issue there would be too much risk.

xienze
> but internal services with have internal CA signed certs with long expire times because of the number of crappy apps that make using certs a pain in the ass.

Introduce them to the idea of having something like Caddy sit in front of apps solely for the purpose of doing TLS termination... Caddy et al can update the certs automatically.

pixl97 OP
Unless they are web/tech companies they aren't doing that. Banks, finance, large manufacturing are all terminating at F5's and AVI's. I'm pretty sure those update certs just fine, but it's not really what I do these days so I don't have a direct answer.
xienze
Sure. The point is, don't bother letting the apps themselves do TLS termination. Too much work that's better handled by something else.
hedora
Also, moving termination off the endpoint server makes it much easier for three letter agencies to intercept + log.
qmarchi
Most responsible orgs do TLS termination on the public side of a connection, but will still make a backend connection protected by TLS, just with a internal CA.
tikkabhuna
F5s don't support ACME, which has been a pain for us.
cpach
It might be possible to run an ACME client on another host in your environment. (IMHO, the DNS-01 challenge is very useful for this.) Then you can (probably) transfer the cert+key to BIG IP, and activate it, via the REST API.

I haven’t used BIG IP in a long while, so take this with a grain of salt, but it seems to me that it might not be impossible to get something going – despite the fact that BIG IP itself doesn’t have native support for ACME.

Two pointers that might be of interest:

https://community.f5.com/discussions/technicalforum/upload-l...

https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_sys_cry...

dijit
Sounds suspiciously similar to a rube goldberg machine.

Those tend to be quite brittle in reality. What’s the old adage about engineering vs architecture again?

Something like this I think: https://www.reddit.com/r/PeterExplainsTheJoke/comments/16141...

cpach
Obviously it would be much better if BIG IP had native support for ACME. And F5 might implement it some day, but I wouldn’t hold my breath.

For some companies, it might be worth it to throw away a $100000 device and buy something better. For others it might not be worth it.

xorcist
F5 sells expensive boxes intended for larger installations where you can afford not to do ACME in the external facing systems.

Giving the TLS endpoint itself the authority to manage certificates kind of weakens the usefulness of rotating certificates in the first place. You probably don't let your external facing authoritative DNS servers near zone key material, so there's no reason to let the external load balancers rotate certificates.

Where I have used F5 there was never any problem letting the backend configuration system do the rotation and upload of certificates together with every other piece of configuration that is needed for day to day operations.

EvanAnderson
Exactly. According to posters here you should just throw them away and buy hardware from a vendor who does. >sigh<

Don't expect firmware / software updates to enable ACME-type functionality for tons of gear. At best it'll be treated as an excuse by vendors to make Customers forklift and replace otherwise working gear.

Corporate hardware lifecycles are longer than the proposed timeline for these changes. This feels like an ill thought-out initiative by bureaucrats working in companies who build their own infrastructure (in their white towers). Meanwhile, we plebs who work in less-than-Fortune 500 companies stuck with off-the-shelf solutions will be forced to suffer.

JackSlateur
F5 is the pain.
cryptonym
You now have to build and self-shot a complete CA/PKI.

Or request a certificate over the public internet, for an internal service. Your hostname must be exposed to the web and will be publicly visible in transparency reports.

mox1
Companies have software to manage this for you. We utilize https://www.cyberark.com/products/machine-identity-security/
stackskipton
You could always ask for wildcard for internal subdomain and use that instead so you will leak your internal FQDN but not individual hosts.
pixl97 OP
I'm pretty sure every bank will auto fail wildcard certs these days, at least the ones I've worked with.

Key loss on one of those is like a takeover of an entire chunk of hostnames. Really opens you up.

JoshTriplett
> Or request a certificate over the public internet, for an internal service. Your hostname must be exposed to the web and will be publicly visible in transparency reports.

That doesn't seem like the end of the world. It means you shouldn't have `secret-plans-for-world-takeover.example.com`, but it's already the case that secret projects should use opaque codenames. Most internal domain names would not actually leak any information of value.

lokar
I’ve always felt a major benefit of an internal CA is making it easy to have very sort TTLs
SoftTalker
Or very long ones. I often generate 10 year certs because then I don't have to worry about renewing them for the lifetime of the hardware.
lokar
In a production environment with customer data?
SoftTalker
No for internal stuff.
formerly_proven
I'm surprised there is no authorization-certificate-based challenge type for ACME yet. That would make ACME practical to use in microsegmented networks.

The closest thing is maybe described (but not shown) in these posts: https://blog.daknob.net/workload-mtls-with-acme/ https://blog.daknob.net/acme-end-user-client-certificates/

benburkert
It's 100% possible today to get certs in segmented networks without a new ACME challenge type: https://anchor.dev/docs/public-certs/acme-relay

(disclamer: i'm a founder at anchor.dev)

webprofusion
Does your hosted service know the private keys or are they all on the client?
benburkert
No, they stay on the client, our service only has access to the CSR. From our docs:

> The CSR relayed through Anchor does not contain secret information. Anchor never sees the private key material for your certificates.

bigp3t3
I'd set that up the second it becomes available if it were a standard protocol. Just went through setting up internal certs on my switches -- it was a chore to say the least! With a Cert Template on our internal CA (windows), at least we can automate things well enough!
formerly_proven
Yeah it's almost weird it doesn't seem to exist, at least publicly. My megacorp created their own protocol for this purpose (though it might actually predate ACME, I'm not sure), and a bunch of in-house people and suppliers created the necessary middlewares to integrate it into stuff like cert-manager and such (basically everything that needs a TLS certificate and is deployed more than thrice). I imagine many larger companies have very similar things, with the only material difference being different organizational OIDs for the proprietary extension fields (I found it quite cute when I learned that the corp created a very neat subtree beneath its organization OID).
Pxtl
At this point I wish we could just get all our clients to say "self-signed is fine if you're connecting to a .LOCAL domain name". https is intrinsically useful over raw http, but the overhead of setting up centralized certs for non-public domains is just dumb.

Give us a big global *.local cert we can all cheat with, so I don't have to blast my credentials in the clear when I log into my router's admin page.

shlant
this is exactly what I do because mongo and TLS is enough of a headache. I am not dealing with rotating certificates regularly on top of that for endpoints not exposed to the internet.
SoftTalker
Yep letsencrypt is great for public-facing web servers but for stuff that isn't a web server or doesn't allow outside queries none of that "easy" automation works.
procaryote
Acme dns challenge works for things that aren't webservers.

For the other case perhaps renew the cert at a host allowed to do outside queries for the dns challenge and find some acceptable automated way to propagate an updated cert to the host that isn't allowed outside queries.

Yeroc
Last time I checked there's no standardized API/protocol to deal with populating the required TXT records on the DNS side. This is all fine if you've out-sourced your DNS services to one of the big players with a supported API but if you're running your own DNS services then doing automation against that is likely not going to be so easy!
icedchai
I run my own DNS servers (BIND 9.x) and use an rfc2136 plugin to handle TXT records. It works fine. See https://cert-manager.io/docs/configuration/acme/dns01/rfc213...
procaryote
One pretty easy way to do it while running your own DNS is to put the zone files, or some input that you can build to zone files, in version control.

There are lots of systems that allow you to set rules for what is required to merge a PR, so if you want "the tests pass, it's a TXT record, the author is whitelisted to change that record" or something, it's very achievable

SoftTalker
I don't have an API or any permission to add TXT records to my DNS. That's a support ticket and has about a 24-hour turnaround best case.
Yeroc
I was just digging into this a bit and discovered ACME supports a something called DNS alias mode (https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...) which allows you to add a static DNS TXT record on your core domain that delegates to a second domain. This would allow you to setup a second domain with DNS API (if permitted by company policy!)
immibis
Is this just because your DNS is with some provider, or is it something that leads from your organizational structure?

If it's just because your DNS is at a provider, you should be aware that it's possible to self-host DNS.

2 More Comments →
JackSlateur
You have people paid to create DNS records ? Haha
4 More Comments →
procaryote
That's not great, sorry to hear
bsder
And may the devil help you if you do something wrong and accidentally trip LetsEncrypt's rate limiting.

You can do nothing except twiddle your thumbs while it times out and that may take a couple of days.

JackSlateur
Haa, yes ! We have that, too ! Accepted warning in browsers ! curl -k ! verify=False ! Glorious future to the hacking industry !

This item has no comments currently.