TLS Certificates

There is an experimental acme server in place at https://playground.acme.libre to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by Name Constraints). The trust anchor for these certificates can be downloaded here.

Note, that this is experimental in many regards:

  • The root CA is not yet 100% secured (the design is a work in progress).
  • The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact Erich Eckner

The acme server runs on a domain which must be validated by the same root certificate which is used for other opennic domains. Thus, one must download the root certificate (and ignore the certificate error on the https connection) and install it as a trusted root certificate. If you like to avoid possible MITM attacks on the download, you can verify the sha512sum of the certificate, too (this file also contains checksums for older and for an unrelated ca). On arch linux, one would run:

cd /usr/share/ca-certificates/trust-source/anchors
curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
curl | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
trust extract-compat

On debian, the commands are rather:

cd /usr/local/share/ca-certificates/trust-source/anchors
curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
curl | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c

Check, that the certificate was installed correctly:

curl https://playground.acme.libre/

Then, certbot can query new certificates from the acme server.

certbot --server https://playground.acme.libre

The trust chain could look as follows:

  1. root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS
  2. intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by 1 - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine.
  3. client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for 2 lives on ACME server.

The following things might be desirable, too:

  1. Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have some Shamir-like secret sharing in place
  2. Deploy multiple intermediate CAs / ACME-server “parallely”
  • /wiki/data/pages/opennic/tls.txt
  • Last modified: 3 years ago
  • by marek