24 May
2025
24 May
'25
2:48 a.m.
Once upon a time, Grant Taylor via NANOG <nanog@lists.nanog.org> said:
Solution 2 (or worse if private CA) involves additional configuration, additional complexity, additional certificates & keys to secure, and additional things to break.
If you have such a complicated multi-server setup that includes a need to encrypt your internal traffic, you should definitely be using some configuration management system to make sure you have all the encryption set correctly... at which point another cert is a trivial amount of effort. -- Chris Adams <cma@cmadams.net>