Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
opennic:tls [2020-05-31T15:24:06Z] – [Current deployment] deep42thoughtopennic:tls [2021-08-08T18:51:47Z] (current) – Correct Debian Path marek
Line 3: Line 3:
 ===== Current deployment ===== ===== Current deployment =====
  
-There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains.+There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]]).
 The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]]. The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]].
  
Line 10: Line 10:
   * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]]   * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]]
  
 +===== How to get started =====
 +
 +The acme server runs on a domain which must be validated by the same root certificate which is used for other opennic domains.
 +Thus, one must download the root certificate (and ignore the certificate error on the https connection) and install it as a trusted root certificate.
 +If you like to avoid possible MITM attacks on the download, you can verify the [[https://eckner.net/certs/sha512sums|sha512sum]] of the certificate, too (this file also contains checksums for older and for an unrelated ca). On arch linux, one would run:
 +<code>
 +cd /usr/share/ca-certificates/trust-source/anchors
 +curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
 +curl https://eckner.net/certs/sha512sums | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
 +trust extract-compat
 +</code>
 +On debian, the commands are rather:
 +<code>
 +cd /usr/local/share/ca-certificates/trust-source/anchors
 +curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
 +curl https://eckner.net/certs/sha512sums | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
 +update-ca-certificates
 +</code>
 +Check, that the certificate was installed correctly:
 +<code>
 +curl https://playground.acme.libre/
 +</code>
 +Then, certbot can query new certificates from the acme server.
 +<code>
 +certbot --server https://playground.acme.libre
 +</code>
 ===== Planned deployment ===== ===== Planned deployment =====
  
Line 19: Line 45:
  
 The following things might be desirable, too: The following things might be desirable, too:
-  - Restrict validity of CA with [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]] +  - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https://tools.ietf.org/html/draft-hallambaker-threshold-sigs-02|some Shamir-like secret sharing]] in place
-  - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have some Shamir-like secret sharing in place+
   - Deploy multiple intermediate CAs / ACME-server "parallely"   - Deploy multiple intermediate CAs / ACME-server "parallely"
  • /wiki/data/attic/opennic/tls.1590938646.txt.gz
  • Last modified: 4 years ago
  • by deep42thought