News you need

21 views
Skip to first unread message

Kurt Buff

unread,
Dec 17, 2025, 1:39:58 PM12/17/25
to ntsys...@googlegroups.com
First, certificates from Let's Encrypt will be going to 64 day lifetime in May, and losing the client auth EKU :
Sectigo has also announced the change this week. I'm sure others are announcing them this week as well, or will shortly.

Second, MSFT is finalizing deprecation of RC4 and planning to remove it from AD in 2026 - long overdue:


Kurt

Philip Elder

unread,
Dec 17, 2025, 1:51:26 PM12/17/25
to ntsys...@googlegroups.com

We set up reverse proxy using ARR/URLReWrite v1 (IIS). This allows for as many HTTPS based connections to internal services as needed. So, Exchange Server services, Remote Desktop Services, SharePoint, and others.

 

Source User (Internet) HTTPS à ARR (Private Key) à Exchange Server

Source User Device (Internet) HTTPS à ARR (Private Key) à Exchange Server

Source User (Internet) HTTPS à ARR (Private Key) à RD Gateway à RD Session Host/RemoteApps

 

The important thing to note is where the Private Key lies. So, we decrypt that HTTPS packet stream to analyze it then encrypt it to send it on to the final destination.

 

So, for instance we know that CloudFlare has access to every single HTTPS inbound by decryption due to the Private Key being resident in their system.

 

The question my little inquiring brain has is this: Does LetsEncrypt _keep_ the Private Key anywhere on their systems?

 

Snowden revealed what exactly? That defecation runs deep. Stinky, slimy, deep. Thus my paranoia about Black Boxes.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7EhpvdN3LQzvUGtZJgThGhj8m9D%3DK0esXEa%2BgwNEh5Xg%40mail.gmail.com.

Dafydd Jones (techneg.it)

unread,
Dec 22, 2025, 10:58:10 AM12/22/25
to ntsys...@googlegroups.com
"The question my little inquiring brain has is this: Does LetsEncrypt _keep_ the Private Key anywhere on their systems?"

I'm no cryptography expert, but they cannot keep your private key when they never had it to begin with.
You, or your computers, create both private and public keys and send a certificate signing request containing only public information to Let's Encrypt.
They return a signed certificate to you, which your server software uses in combination with the private key to enable TLS communication.

HTH,
Dafydd

 


Philip Elder

unread,
Dec 22, 2025, 2:12:18 PM12/22/25
to ntsys...@googlegroups.com

This is a question that I’ve asked a number of times over the last couple of years.

 

No one took the time to actually explain the certificate creation process like this. Simple and to the point and I get it.

 

Thank you. That closes a concern I had on using it!

 

I much appreciate it. :0)

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

Kurt Buff

unread,
Dec 22, 2025, 2:52:24 PM12/22/25
to ntsys...@googlegroups.com
Wikipedia has more detail:

I believe there are other protocols, but this seems to be the most common.

Kurt

Reply all
Reply to author
Forward
0 new messages