undefined | Better HN

0 pointsMikeHardman5y ago0 comments

You can do wildcard certs with LE, I run hundreds of k8s services all secured with LE and wildcard certs.

0 comments

We're talking about customer hardware. If someone looks at the insides of the device and finds, of course, the private key for your one shared wildcard certificate, the issuer is required to invalidate it immediately.

lvh5y ago

You can, but that wouldn't quite work for the prosumer router manufacturer case the OP mentioned: LE would revoke the cert once you distributed it.

AdamJacobMuller5y ago

You can, but, you can't (by policy) distribute keys across multiple customers.

tgsovlerkhgsel5y ago

I have a nasty habit of requesting revocation of such compromised keys whenever I find them. CAs are required to revoke within 24 hours, I think, though unfortunately revocation is surprisingly ineffective.

AdamJacobMuller5y ago

Do you actually find those often? I've actually never seen one. I will admit I've also never specifically looked very hard.

tgsovlerkhgsel5y ago

I'd say one every couple of years.

https://letsencrypt.org/docs/certificates-for-localhost/ has great documentation on that topic, including more examples.

j / k navigate · click thread line to collapse

0 comments

stefan_5y ago

lvh5y ago

You can, but that wouldn't quite work for the prosumer router manufacturer case the OP mentioned: LE would revoke the cert once you distributed it.

AdamJacobMuller5y ago

You can, but, you can't (by policy) distribute keys across multiple customers.

tgsovlerkhgsel5y ago

AdamJacobMuller5y ago

Do you actually find those often? I've actually never seen one. I will admit I've also never specifically looked very hard.

tgsovlerkhgsel5y ago

I'd say one every couple of years.

https://letsencrypt.org/docs/certificates-for-localhost/ has great documentation on that topic, including more examples.

j / k navigate · click thread line to collapse