This is an old revision of the document!

TLS Certificates

There is an experimental acme server in place at https://playground.acme.libre to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by Name Constraints). The trust anchor for these certificates can be downloaded here.

Note, that this is experimental in many regards:

  • The root CA is not yet 100% secured (the design is a work in progress).
  • The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact Erich Eckner

The trust chain could look as follows:

  1. root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS
  2. intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by 1 - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine.
  3. client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for 2 lives on ACME server.

The following things might be desirable, too:

  1. Restrict validity of CA with Name Constraints
  2. Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have some Shamir-like secret sharing in place
  3. Deploy multiple intermediate CAs / ACME-server “parallely”
  • /wiki/data/attic/opennic/tls.1590950229.txt.gz
  • Last modified: 18 months ago
  • by deep42thought