• lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 个月前

    As opposed to what, the domain certificate? Which can’t be air-gapped because it needs to be used by services and reverse proxies.

    • BestBouclettes@jlai.lu
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 个月前

      The domain certificate is public and its key is private? That’s basically it, if anyone gets access to your key, they can sign with your name and generate certificates without your knowledge. That’s my opinion and the main reason why I wouldn’t have a self hosted CA, maybe I’m wrong or misled, but it’s a lot of work to ensure everything is safe, only for a self hosted setup.