The article argues against using self-signed certificates for internal services by advocating for 'split-horizon DNS' combined with public Certificate Authorities like Let's Encrypt. It suggests that while this approach requires configuring a Web Application Firewall (WAF) to restrict access to VPN users, it is more secure and manageable than distributing self-signed certificates to all clients.
Background
Internal services often struggle with certificate management, leading many to use self-signed certs or insecure workarounds. This post presents a best-practice architecture for securing internal traffic without compromising on certificate trust.
- Source
- hackernews
- Published
- Jul 9, 2026 at 10:57 PM
- Score
- 5.0 / 10