[talk] SSL certificates

Mike Burns mike+nycbug at mike-burns.com
Tue Sep 12 13:47:06 EDT 2017

On 2017-09-12 17.10.35 +0000, Mark Saad wrote:
> On 09/12/2017 07:38, Michael W. Lucas wrote:
> > Out of curiosity: any real-world reason not to do Let's Encrypt?
> >
> This is a commercial setup, from what I remember LE is for
> non-commercial setups.

Let's Encrypt is for all domain names.


> Also I need to get two wild cards - one for *.mydomain.xxx and
> *.yyy.mydomain.xxx and I dont think LE can do the latter. 

This is true: it does not support wildcard certs. Instead it offers a
way to programmatically generate a cert instantly. So instead of using a
wildcard, you could generate the certs for every subdomain, on demand,
from a script.

I'm curious -- is there a case where wildcard TLS certs are needed in
the face of instant, programmatic certs?

LE does not offer EV certs. If you need that, LE cannot help.


It's worth noting that OpenBSD ships with acme-client(1). It has
additional limitations due to programmer time.


More information about the talk mailing list