On Sat, May 17, 2025, 18:23 Colin Constable via NANOG <nanog@lists.nanog.org> wrote:
Is anyone elae worried about this? We use public certs for client auth in a number of cases.
https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/
<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VRKIO6IUCJRLENL7FOHWWQV6UXAS3XGK/> We just maintain our own internal PKI/trust anchor at $org for mTLS. There's numerous solutions[0] that have evolved that are a fair bit more robust than `openssl(1)` glued together with bash scripts these days. Running your own PKI with a (or multiple) org-internal CA(s) not only lets you control the KU/EKU etc. of the certs themselves but lets you scope access to anything signed by a given issuer- no futzing with static CN/Subj lists or pattern matching, IP SANs totally fine, not subject to externally-influenced poli(cy|tics), etc. For public-facing it's of course a little higher barrier of entry, but for intra/infra/internal? Cannot be beat, highly recommend. [0] Personal recommendation, https://developer.hashicorp.com/vault/docs/secrets/pki or https://openbao.org/docs/secrets/pki/