CA infrastructure tends to sprawl, multiply, and creep around the organization unless properly pruned. They will also quickly diverge in certificate issuing rules. Better to use the one you hopefully already have, and secure it well. Lots of eggs are in that basket anyway. The article is a commercial for their product, but there are plenty mature ones out there. FreeIPA is one.
2. You should renew certificates well in good time until they expire.
As long as the certificate is issued internally and fulfills the rules of allowed certificates, let Ansible/Puppet or similar tool renew them. Just make sure applications gets restarted when the certificate is rotated. Defining it as a configuration item helps everyone.
3. Any certificate that hits disk should generate monitoring.
Because renewals can fail, and you really want to know in advance if certificates haven't been rotated properly. There will always be special cases and externally created certificates too.
1. You should not keep more than one internal CA.
CA infrastructure tends to sprawl, multiply, and creep around the organization unless properly pruned. They will also quickly diverge in certificate issuing rules. Better to use the one you hopefully already have, and secure it well. Lots of eggs are in that basket anyway. The article is a commercial for their product, but there are plenty mature ones out there. FreeIPA is one.
2. You should renew certificates well in good time until they expire.
As long as the certificate is issued internally and fulfills the rules of allowed certificates, let Ansible/Puppet or similar tool renew them. Just make sure applications gets restarted when the certificate is rotated. Defining it as a configuration item helps everyone.
3. Any certificate that hits disk should generate monitoring.
Because renewals can fail, and you really want to know in advance if certificates haven't been rotated properly. There will always be special cases and externally created certificates too.