• sugar_in_your_tea
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 months ago

    Why not just autorenew on a schedule?

    I use Lets Encrypt, and my certs get renewed automatically without me thinking about it.

    • thirteene@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      Mostly customer provided certs, high end clients make all kinds of stupid requests like the aforementioned man-in-the-middle chain sniffers, clients that refuse DNS validation, clients that require alternate domains to be updated regularly. Management is fine for mywebsite.com, but how are you solving an EV on the spoofed root prod domain, with an sso cert chain for lower environments on internal traffic that is originally provided by a client? And do you want the cs reps emailing each other your root cert and (mistakingly) the key? I’ve been given since SCARY keys by clueless support engineers. I don’t want to do this every 3 months.

      • sugar_in_your_tea
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        Sounds like a change in company policy, because AFAIK, there’s no good reason for pretty much any of that.

        • thirteene@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          Sounds like you don’t do contact negotiations, if someone will pay 2 million to appear on their root domain, you’ll sit down and figure it out for a couple hours.

          • sugar_in_your_tea
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Yes, I don’t, and I would honestly like to understand what use-case these customers are trying to solve. Because there’s a very good chance that they can get their preferred outcomes with a lot less manual work.