On 5/23/25 9:48 PM, Chris Adams via NANOG wrote:
If you have such a complicated multi-server setup that includes a need to encrypt your internal traffic, you should definitely be using some configuration management system to make sure you have all the encryption set correctly
The tooling used (or not) is orthogonal to the discussion at hand.
at which point another cert is a trivial amount of effort.
The tooling doesn't alter the need for a second certificate & key. Nor does the tooling speak to the added complexity / risks of a private CA. Sometimes multi-server can be as few as two or three servers. And there's no guarantee that they are the same OS or otherwise use the same configuration. So ... configuration management becomes even more overhead. -- Grant. . . .