Use of a CA (private CA would be my thought in this case) gives you greater ability to manage certs without needing to manually revoke and the ability to verify authenticity. You’re already doing most of the work to run a private CA, TBH. Just, instead of signing from the machine, you add your private CA’s intermediate cert to the trusted CAs on your hosts, and generate CSRs on your new hosts for your CA to sign.
Signing from the machine that uses a cert gives it greater authority and increases the “blast radius” if it gets compromised.
I do have a private ca service running on an internal ec2 instance, but all the AWS workspaces broker checks is if the device cert being passed by the thinclient was signed by one of the two signing certs you’ve loaded into the service, so the private ca itself still doesn’t manage revocation in this case.
I do appreciate the suggestion. My main goal in sharing this use case was to show folks that there are many places certificate are used that let’s encrypt isn’t geared up to solve. Other examples are things like signing Microsoft API requests, etc.
Use of a CA (private CA would be my thought in this case) gives you greater ability to manage certs without needing to manually revoke and the ability to verify authenticity. You’re already doing most of the work to run a private CA, TBH. Just, instead of signing from the machine, you add your private CA’s intermediate cert to the trusted CAs on your hosts, and generate CSRs on your new hosts for your CA to sign.
Signing from the machine that uses a cert gives it greater authority and increases the “blast radius” if it gets compromised.
I do have a private ca service running on an internal ec2 instance, but all the AWS workspaces broker checks is if the device cert being passed by the thinclient was signed by one of the two signing certs you’ve loaded into the service, so the private ca itself still doesn’t manage revocation in this case.
I do appreciate the suggestion. My main goal in sharing this use case was to show folks that there are many places certificate are used that let’s encrypt isn’t geared up to solve. Other examples are things like signing Microsoft API requests, etc.
Anyway, have a great day!
Oh fun. Thanks for sharing! Have a great day, yourself!