[talk] SSL certificates

Mike Burns mike+nycbug at mike-burns.com
Tue Sep 12 13:47:06 EDT 2017


On 2017-09-12 17.10.35 +0000, Mark Saad wrote:
> On 09/12/2017 07:38, Michael W. Lucas wrote:
> > Out of curiosity: any real-world reason not to do Let's Encrypt?
> >
> This is a commercial setup, from what I remember LE is for
> non-commercial setups.

Let's Encrypt is for all domain names.

https://community.letsencrypt.org/t/are-they-limitations-on-who-can-use-lets-encrypt/687

> Also I need to get two wild cards - one for *.mydomain.xxx and
> *.yyy.mydomain.xxx and I dont think LE can do the latter. 

This is true: it does not support wildcard certs. Instead it offers a
way to programmatically generate a cert instantly. So instead of using a
wildcard, you could generate the certs for every subdomain, on demand,
from a script.

I'm curious -- is there a case where wildcard TLS certs are needed in
the face of instant, programmatic certs?

LE does not offer EV certs. If you need that, LE cannot help.

---

It's worth noting that OpenBSD ships with acme-client(1). It has
additional limitations due to programmer time.

-Mike




More information about the talk mailing list