Looks like Let's Encrypt is going to start offering free wildcard certs in Jan 2018 Wildcard Certificates Coming January 2018 - Let's Encrypt - Free SSL/TLS Certificates
certutil -A -n "my cert nickname" -t "CT,C,C" -i /path/to/CAcert.crt -d /path/to/users/profile/
I work in A Large Company (>25,000 users), the vast majority of which is catered for by using group policy to distribute the CA certs (we have about 8 or 9 CAs plus 10 or 12 sub-CAs) since 98% of our estate uses windows GPO, 5% uses some custom scripting into the OS cert store (mostly our linux kit) and 12% goes into app-specific cert stores by way of either custom scripting or manual imports (depending on the politics involved)... but even all that proprietary stuff can be dodged fairly easily. I use a samba4 AD DC at home for my three windows clients (all domain-joined), but seriously the hard part is setting up a CA, and it's really not that hard at all. Once you've actually got the CA and the certs, it's basically just a matter of figuring out the one-time commands you'll need to communicate as such.@EffrafaxOfWug Hm yeah. Its likely way less clients than devices ...
Still makes me wonder how thats supposed to work in large companies... proprietary tools for the masses & risk acceptance for the few I suppose if I look at the one where I am at atm
It's waaaay less hard than you think. Distros like pfsense already provides this functionality out of the box, or it's a doddle to do yourself.I often thought that there is a way to piece meal it all together, but as this post shows there isnt....
openssl req -config mycustomCA.openssl.cnf -new -x509 -extensions v3_ca -keyout private/mycustomCA.key -out certs/mycustomCACA.crt -days 3650
openssl ca -config mycustomCA.openssl.cnf -policy policy_anything -days 730 -out certs/somehost.homedomain.local.crt -infiles requests/somehost.homedomain.local.csr