Comment by lxgr

Comment by lxgr 2 days ago

It really only is for bad practical reasons, that all coincidentally make it harder and harder to self-host stuff locally without paying a few dollars a month or year here and there to various rent seekers.

"Just use Letsencrypt" really is the correct answer for 99% of use cases, but good luck if you find yourself with one from the 1%. You'll get an army of people mindlessly parroting "best practices" and will assume you're incompetent/lazy if you can't find a way to make them work for you.

User11110 2 days ago

Internal CAs and self signed certificates are different. You can still generate a CA, sign your certificates, import your own CA into your phone and have that verify your certificates. You don't need Letsencrypt. But you'll learn in time.

Reply View 11 replies

lxgr 2 days ago

Thanks for the condescension, but I know how to do all of this. I've done it before. And because of that, I can first hand attest that it's way too complicated.
No non-sophisticated user is able to run their own local CA, and that's why their NAS, IoT setup etc. all run over HTTP only, which in turn has implications for available web APIs (thanks to "secure origin only" policies and no exemption for local IPs/zeroconf domains) and many other things.
It also doesn't work for at least modern Android apps, since Android no longer makes user-provided CA certificates available to (non-browser) apps anymore, I believe, unless they're compiled with a special debugging parameter. On iOS it's still possible, but I'm not sure how long it's going to stay that way.

Reply View | 8 replies
- stephenmac98 2 days ago
  
  If a user set up a NAS they should be capable of googling
  "Openssl how to set up a CA" > First link fully explains it https://arminreiter.com/2022/01/create-your-own-certificate-...
  "How to import CA into iPhone" > First link fully explains it https://www.ibm.com/docs/en/mpf/7.1.0?topic=certificates-ins...
  "Android app customize trusted CAs" > First link fully explains it https://developer.android.com/privacy-and-security/security-...
  The barrier to entry on PKI isn't that it's hard, it seems to be that people just can't be bothered, PKI is among the most google-able tech processes out there
  
  Reply View | 7 replies
  
  lxgr 2 days ago
  
  Setting up a NAS means buying one on Amazon and plugging it in.
  You're completely out of touch with the majority of the userbase of these products if you think even one in 10 NAS users will set up their own CA using OpenSSL (in a secure way that doesn't expose themselves to being MITMed even on public sites such as that of their bank down the road).
  
  Reply View | 6 replies
digitalPhonix a day ago

How? An internal CA is just a self-signed certificate that you’ve told your device to trust; and to trust other certificates signed by it.
Somewhere you still need to trust a self-signed certificate.

Reply View | 1 reply
- cpach a day ago
  
  You can guard the root certificate better than the leaf certificate. For example, you can keep it offline in an air-gapped environment.
  
  Reply View | 0 replies