On Wed, Jun 19, 2019 at 12:51 PM Bagas Sanjaya wrote:Unlike LE, we (debian.org) have to create Certificate Signing Requests (CSR) which will be sent to those CA.As a member of the Debian sysadmin team I can tell you that this is never going to happen. Manually doing TLS is way too much work when you have hundreds of subdomains and a terrible idea and we will never go back to doing it.EV certificates can be useful for large organizations like Debian.EV certificates are becoming less useful over time, they are probably a waste of money now: https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/would commercial SSL/TLS make sense for debian.org website?No.
Manually doing TLS is way too much work when you have hundreds of subdomains and a terrible idea and we will never go back to doing it.
It can be prevented by using wildcard certificates, which is valid for all subdomains of a site (e.g. subdomain.mydomain.me but not subdomain.subdomain.mydomain.me). In wildcard certificates, *.mydomain.me is used as Subject Alternative Name (SAN).
Why did you say like that? In fact, Ubuntu and RedHat website use certificate from DigiCert.would commercial SSL/TLS make sense for debian.org website?No.
If debian.org (www.d.o) also use DigiCert (DC) certificate, it
would make sense to use wildcard certificate without EV as you
stated in the reply. BTW, because DC site is probably down for
now, I can't post here about certificate pricing.