Differences

This shows you the differences between two versions of the page.

--- opennic:tls [2020-05-29T11:07:04Z] – created deep42thought
+++ opennic:tls [2025-01-10T17:09:56Z] (current) – Update Debian instructions koala
@@ Line 3: / Line 3: @@
 ===== Current deployment =====
-There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC (and currently also all ICANN and all peered) top level domains.
+There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]]).
 The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]].
@@ Line 10: / Line 10: @@
   * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]]
+===== How to get started =====
+The acme server runs on a domain which must be validated by the same root certificate which is used for other opennic domains.
+Thus, one must download the root certificate (and ignore the certificate error on the https connection) and install it as a trusted root certificate.
+If you like to avoid possible MITM attacks on the download, you can verify the [[https://eckner.net/certs/sha512sums|sha512sum]] of the certificate, too (this file also contains checksums for older and for an unrelated ca). On arch linux, one would run:
+<code>
+cd /usr/share/ca-certificates/trust-source/anchors
+curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
+curl https://eckner.net/certs/sha512sums | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
+trust extract-compat
+</code>
+On debian, the commands are rather:
+<code>
+cd /usr/share/ca-certificates/
+curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
+curl https://eckner.net/certs/sha512sums | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
+dpkg-reconfigure ca-certificates
+</code>
+Check, that the certificate was installed correctly:
+<code>
+curl https://playground.acme.libre/
+</code>
+Then, certbot can query new certificates from the acme server.
+<code>
+certbot --server https://playground.acme.libre
+</code>
 ===== Planned deployment =====
+The trust chain could look as follows:
   - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS
-  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by (a) - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine.
+  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by 1 - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine.
-  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by (b). Private key for (b) lives on ACME server.
+  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for 2 lives on ACME server.
+The following things might be desirable, too:
+  - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https://tools.ietf.org/html/draft-hallambaker-threshold-sigs-02|some Shamir-like secret sharing]] in place
+  - Deploy multiple intermediate CAs / ACME-server "parallely"