You have a organizational identity right?

Why would anyone ever use self signed certs? Buy a cheap ass domain, and use LetsEncrypt to get a free cert.

If it is for internal only, self signed is a lot easier.
- Also probably no sysadmin uses it, but the Gemini protocol requires the use of a self signed cert
- Hard disagree. As long as you have any machine with internet access it’s trivial, even more so if you can use DNS challenge.
- So is using "pass" as the password to all of your sensitive systems. Still not best, or even good practice.
Mtls across a large number of machines. I run my own CA and intermediates on hashicorp vault.
For end user services, yes LE.
- At the point of running your own CA with infrastructure in place to support it, I wouldn’t really call that “self signing.”
  I get that it technically is, since you’re not going through an external CA, but really it’s like calling a companies Datacenter “self hosted” because it’s on their own hardware. Technically the truth, but not what is generally meant. 😜
- What's LE?
Self signed certs are more secure. You don't have to trust the whole CA chain

Not pictured: Using a CA to properly administer certs because self-signed certs are not secure.

- Certs do more than encryption in transit. They are also used for protection against MitM and authentication. Self-signing removes the ability to verify a cert's authenticity.
They're more secure than CA certs
- Could you explain your statement further?

As soon as everyone signs their zones with DNNSEC, we can implement DANE to use self-signed certificates safely, and all our problems will go away, world peace will be achieved, and food will taste better.

I still don't understand the resistance to DNSSEC. It's just the right solution to the problem (or something like it is). Most of the arguments I've seen against it are just "the governments and three letter agencies control the TLDs!!" which like... Sure. But even with the usual CA infrastructure all of the trust depends upon the TLDs anyway. Like... If you are a TLD and control the root DNS servers you can obviously redirect any domain to wherever you want and get a LetsEncrypt certificate for any domain under the TLD anyway? Maybe somebody would notice, but it's probably just as likely that somebody would notice them messing around with DNSSEC (and then there would even be cryptographic proof of foul play?)
Will my cock grow a bit, too?
- Yes, and the RRSIG record will prove that it hasn’t been tampered with.

cert-manager is the first thing I install on every kubernetes cluster I make

Syncthing .cert dir until it inevitably gets deleted due to a conflict