auto generate wildcard certificates to make PoC / Quickstart easier #3737
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is your feature request related to a problem? Please describe.
Pomerium currently requires a fair bit to get started with including: DNS, certificates, and a domain name, even with the QuickStart.
In an effort to make that quickstarting easier we created a public domain
*.local.pomerium.iothat will always point to localhost. That solves the DNS and domain part of the equation. However, we still ask that users generate their own certificates.Currently, our quick start asks that users generate their own wild card certificates (using mkcert or otherwise) in order to demo / quickstart with pomerium.
https://docs.pomerium.com/docs/install/quickstart
Describe the solution you'd like
We should just ship an embedded self-signed wild-card certificate for
* localhost.pomerium.io. This way the user can quickstart with Pomerium without having to worry about setting up certs.We could even make that certificate an actual browser trusted certificate using something like LetsEncrypt -- but that feels even a bit more dangerous, albeit for a much better user experience (since... users will trust it, at least for ~3 months which should capture the latest release).
Describe alternatives you've considered
While generating wildcard certificates has the benefit of adding those certificate's CA to the trusted store, I think it's as big of a security imposition as asking users to have their browser temporarily "trust" the pre-baked pomerium certificate.
Explain any additional use-cases
N/A
Additional context
This environment will absolutely not be suitable for production, but neither is today's.
The text was updated successfully, but these errors were encountered: