How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?
Some of my internal stuff goes out to Let’s Encrypt, so I don’t worry about it at all. My internal AD stuff is set for like three years. If anyone has compromised the CA, they’re already past where issuing malicious certs would be useful.
I would up your root cert expiration. You can keep the root CA offline if you’re concerned about compromise.
There are also ways to run LE-style automatic renewals internally, but I’ve never bothered because what I’ve described above means I don’t need it.