[closeparen]

Does anyone in enterprise actually need publicly trusted certificates for documents and email? Seems like it's an inside-the-firewall Exchange server for internal traffic, and a white-label "secure messaging center" portal for external traffic.

[zinekeller]

IdenTrust's buisness also spans to managing private CAs for companies, which includes managing the HSM and private keys. Also, the companies who hire IdenTrust and similar companies are not that involved in technology. Also, security experts who can manage this safely is a tad harder to find and requests higher wages than your standard IT staff.

TLDR: yes, but some companies wants another company to manage their certs.

[mrweasel]

In those cases IdenTrust bought an insane amount of goodwill from some of the most technical people online by supporting Let’s Encrypt.

[strombofulous]

They also helped basically make it a requirement by allowing google to flag http pages as insecure and convince the public that it's necessary

[nsgi]

Using a public CA is far better for security than a custom private one. It's a pain having to install the certificate on every client, server, piece of software, etc. and in my experience this inevitably leads to people disabling certificate checking as part of troubleshooting and this being left on. Also, sometimes people need to access documents and emails from home computers and the company may use some devices on which it isn't possible to install the CA

[dilyevsky]

So exposing your internal infrastructure to the whole world and risking a 3rd party (CA) turning the keys (literally) to your kingdom to someone else is better than someone making a mistake that’s very easy to discover and correct?

> Also, sometimes people need to access documents and emails from home computers and the company may use some devices on which it isn't possible to install the CA

That’s a plus as far most security professionals are concerned

[nsgi]

> So exposing your internal infrastructure to the whole world and risking a 3rd party (CA) turning the keys (literally) to your kingdom to someone else is better than someone making a mistake that’s very easy to discover and correct?

That's not how certificates work. The CA doesn't have your private key. They could theoretically sign a fake certificate with your hostname but that risk is still present if you use a private CA and is mitigated by certificate transparency

[dilyevsky]

Yes, should’ve been more clear on that they sign a cert without your knowledge and hand to to someone performing mitm. How is that risk present when you roll your own PKI and validate against your private CA (or intermediate) only?

Regarding CT I’m not aware of any clients other than browsers actually enforcing that.

[closeparen]

Typically an internal CA adds to the certificate trust store rather than replacing it.

[dilyevsky]

Yes you are correct here (although I’ve seen both methods). At least 3rd party won’t easily know which hostnames to fake though