On 5/22/25 2:58 PM, John Levine via NANOG wrote:
If the entities know who each other are, why do you and they need a public CA?
Occam's Razor / Parsimony.
It is my impression that the normal way to manage client certs is for the organization that runs the servers to sign and distribute certs to the clients. This isn't new.
If you have multiple servers on the Internet that MUST use a public CA for various unassociated clients to trust the certificate and you want to leverage a certificate for communications between the two servers, then Occam's Razor / Parsimony would state that you use the simpler / one solution. Solution 1 is to have and re-use the existing certificates that you must have from a single public CA. Solution 2 is to have and use two separate certificate & key pairs, each from a different CA, one public and the other private. -- Grant. . . .