On Fri, May 23, 2025, 21:14 Grant Taylor via NANOG <nanog@lists.nanog.org> wrote:
(SNIP)
If you have multiple servers on the Internet that MUST use a public CA for various unassociated clients to trust the certificate and you want to leverage a certificate for communications between the two servers, then Occam's Razor / Parsimony would state that you use the simpler / one solution.
Solution 1 is to have and re-use the existing certificates that you must have from a single public CA.
Mixing public and private communication under a single resource is poor practice. Using a public CA as a trust authority for private resources using mTLS auth offers no segregation nor least-access and relies wholly on individual identity checking. Better hope you didn't typo that regex!
Solution 2 is to have and use two separate certificate & key pairs, each from a different CA, one public and the other private.
Technically they *can* have the same private key... the CA just signs a CSR generated by a key. BUT that aside, this is the objectively correct approach. Under no circumstance should one use a public CA for verifying client certificates. Occam's Razor is for explaining phenomena. Taking the simplest approach for *security design* with no regard for ramifications has a different term applied: "lazy"[0]. [0] Or "low-hanging fruit", depending on if you're blue or red I suppose.