On 28/06/2023 12:14 pm, Quanah Gibson-Mount wrote:
We use a public CA for the TLS sessions, and a private CA for SASL/EXTERNAL. We run our own PKI on the AD side of things too. Using a public CA for client certs seems very odd to me.
We also use a mix of Public-Purchased, Public-Free and Private certs. The LDAP clients are a handful of machines with normal machine certs that are public-free certs for various reasons. These are short-dated certs that get updated frequently and automatically. With all that machinery in place, it seems crazy to introduce yet another CA into the mix. Running the proxy is not that big a deal.
I think, as the use of Public-free CA's catches on, and people realize that these certs can be used on private networks, this use case will only grow.