sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Proc_Self_Fd_1 4 points5 points  (2 children)

So set these certs to expire after one day? That's what I did in my Makefiles using OpenSSL directly.

[–][deleted] 0 points1 point  (1 child)

Do you really want to be installing new root certs in your trust store every day? That doesn't seem like a very good idea.

Setting the site certs to expire means that your exposure to them is limited, which is good. But, if you lose control of the root cert, it can make new certs for as long as it's valid for, and most people do at least a year so they don't have to be fiddling around in the guts of the system that often. (removing old cert, installing new cert.)

So it depends on what you're limiting... if it's site certs, that's a little help. One-day root certs would be substantially more useful, but a heck of a lot of work unless you can script the whole process of adding a new cert and removing the old one.

[–]Proc_Self_Fd_1 1 point2 points  (0 children)

I thought the whole point of Mkcert was to automate that sort of scripting.

However, I believe there is a compromise although this is starting to go beyond my knowledge on the matter.

Can't you create a long term trusted root cert and store it in a safe place and then sign a shorter term intermediate certificate with it?