[phpisthebest]

>>to set up processes which automate renewal.

that is all fine and good for things that have the ability to automate that process, plenty of hardware and device do not. Some are not even legacy are still actively being sold and developed

It is also not good for internal networks where you can not valid out to something like lets encrypt to automate that validation process, sure you could do your own internal PKI and run your own CA for that but......

In my current org 60 days would be a NIGHTMARE to manage.

[thayne]

> It is also not good for internal networks where you can not valid out to something like lets encrypt to automate that validation process, sure you could do your own internal PKI and run your own CA for that but......

Or you can set up certbot or similar on a public facing server (or something that can add DNS records to for your domain), and use a secure channel to send the private keys to the things that need it.

I would like to see more of a push to make setting up an internal CA a lot easier though. Because that is probably most correct way to handle that.

[Hamuko]

>It is also not good for internal networks where you can not valid out to something like lets encrypt to automate that validation process

Why not? Just use DNS validation.

[linsomniac]

Yep, I do this for internal names, works great. I've used acme.sh to update the names in a public zone that is isolated from the rest of the zone and has it's unique AWS credentials to update via Route53.