[CentOS] Certificates

Sat Sep 1 10:51:48 UTC 2018
Pete Biggs <pete at biggs.org.uk>

> 
> And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant 
> changing certs even with a long lived root may get old for your customers.

Why? I have corporate systems on 2 year commercial CA signed
certificates and personal servers on 90 day LetsEncrypt ones - my users
of IMAP and SMTP have never ever noticed when I changed the
certificates on any device. They certificates all have trusted CAs so
the clients trust them without any interaction.  Even I don't notice
when certbot renews my certificates.

> 
> Unfortunately, there has never been an effective business model for 
> small customers.

The problem is one of trust - in the past even significant CAs have had
their signing keys leaked, so it's difficult for the root CAs to trust
a company who deals with SMEs with cut price signing (the
infrastructure has a significant cost, so they must be cutting corners
somewhere!).

That was until LetsEncrypt comes along - it has the backing of some big
names and *IS* an effective business model for small and private
customers.

P.