but it’s their CA so why would they do that?
I don’t mean them specifically, but that to me managing access to such a CA cert’s keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it’ll be much easier for it to make itself more persistent than I want it.
But if you don’t trust your own CA what’s the point of having a CA?
That’s the point. I don’t recommend having one. I recommend self signed certs that are
- limited to a lan (sub)domain or a wildcard of it
- you verified by the fingerprint (firefox can show this)
- you only allowed for those of your internal services for the cert was intended
Or if you don’t want to deal with self signed certs, buy a domain and do lets encrypt with the DNS challenge.
That’s also more secure, but can be more of a hassle, though I guess it depends on preference.
But then I would use this latter one too if I had opened any services to the internet, but I didn’t because I don’t need to.
forgot this part
I assume that too, however the person I responded to recommended using a full fledged CA cert.