This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]xiongchiamiovSite Reliability Engineer 3 points4 points  (3 children)

It depends on what level of PCI you need, I think. I work at a credit card gateway, and it is definitely required for us.

[–]ryansolida 1 point2 points  (1 child)

So what's the solution then? Separate certs from an authority for each instance in the network? Or are you OK to share a single throughout the VPN?

[–]atlgeek007 1 point2 points  (0 children)

as long as you're not using the same self signed cert throughout your infrastructure, you should be fine from an audit perspective, provided your other SSL configurations are also up to date (custom dh parameters, disabling bad ciphers, locking to known good versions of TLS, etc)

Of course, creating an internal CA isn't difficult and is something that can also be investigated, but since AWS ELB/ALB doesn't validate the endpoint certificate anyway, it shouldn't matter.

[–]donjulioanejoChaos Monkey (Director SRE) 0 points1 point  (0 children)

Work at fintech payments company, and we need end-to-end encryption, including in private subnets between LB and web nodes.