> It blows my mind they didn’t have sane PKI with that many resources. It seems like even the “small” initial team of a couple devs, a manager, and a director would’ve at least spun up a vault instance to use as a CA.
Not mine. Inhouse CA management is a true PITA, even multiple-thousand-people companies regularly fuck this up. I have experienced hours of outage because someone failed to renew the certificate for one of the thousands of pieces making up a Cisco network environment, and don't get me started on the drama that is root CA certificate rollover, experienced this in three companies and nowhere it was painless...
I have seen this more than a couple times, at big places with resources to manage it. Is it just me or does the TLS and PKI tooling just seem weak? I keep thinking there should be some badass tool that helps manage this sort of thing, is there something I don’t know about?
It's not just the tooling that's weak, it's also terminology and education. If you're not dabbling in crypto occasionally, half the OpenSSL manual and 100% of its codebase will be like hieroglyphs... leading to the fact that most organizations put the operation of their PKI to the one person who can successfully manage to get a working HTTPS cert after copypasting shit from Stackoverflow and wrangling with the validation tool of their certificate vendor.
What also really bothers me is that there is no way that (assuming I own the domain example.com) I can not get a certificate that allows me to sign resources below example.com and that are verifiable by clients without messing around with the system root trust store - and then, many pieces of software carry their OWN trust store totally independent from the OS one (especially Java, it's a true pain in the ass every two years to update that keystore so that LDAPS works again)...
Not mine. Inhouse CA management is a true PITA, even multiple-thousand-people companies regularly fuck this up. I have experienced hours of outage because someone failed to renew the certificate for one of the thousands of pieces making up a Cisco network environment, and don't get me started on the drama that is root CA certificate rollover, experienced this in three companies and nowhere it was painless...