Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revisionBoth sides next revision | ||
opennic:tls [2020-05-29T11:07:04Z] – created deep42thought | opennic:tls [2020-06-03T08:42:45Z] – [Planned deployment] deep42thought | ||
---|---|---|---|
Line 3: | Line 3: | ||
===== Current deployment ===== | ===== Current deployment ===== | ||
- | There is an experimental acme server in place at [[https:// | + | There is an experimental acme server in place at [[https:// |
The trust anchor for these certificates can be downloaded [[https:// | The trust anchor for these certificates can be downloaded [[https:// | ||
Line 11: | Line 11: | ||
===== Planned deployment ===== | ===== Planned deployment ===== | ||
+ | |||
+ | The trust chain could look as follows: | ||
- root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/ | - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/ | ||
- | - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by (a) - CA operator does this with their hardware token/ | + | - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by 1 - CA operator does this with their hardware token/ |
- | - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by (b). Private key for (b) lives on ACME server. | + | - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for 2 lives on ACME server. |
+ | The following things might be desirable, too: | ||
+ | - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https:// | ||
+ | - Deploy multiple intermediate CAs / ACME-server " |