Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== TLS Certificates ====== ===== Current deployment ===== There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]]). The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]]. Note, that this is experimental in many regards: * The root CA is not yet 100% secured (the design is a work in progress). * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]] ===== How to get started ===== The acme server runs on a domain which must be validated by the same root certificate which is used for other opennic domains. Thus, one must download the root certificate (and ignore the certificate error on the https connection) and install it as a trusted root certificate. If you like to avoid possible MITM attacks on the download, you can verify the [[https://eckner.net/certs/sha512sums|sha512sum]] of the certificate, too (this file also contains checksums for older and for an unrelated ca). On arch linux, one would run: <code> cd /usr/share/ca-certificates/trust-source/anchors curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt curl https://eckner.net/certs/sha512sums | sed 's/ \S\+\(opennic_root_ca\.crt\)$/ \1/;t;d' | sha512sum -c trust extract-compat </code> On debian, the commands are rather: <code> cd /usr/share/ca-certificates/ curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt curl https://eckner.net/certs/sha512sums | sed 's/ \S\+\(opennic_root_ca\.crt\)$/ \1/;t;d' | sha512sum -c dpkg-reconfigure ca-certificates </code> Check, that the certificate was installed correctly: <code> curl https://playground.acme.libre/ </code> Then, certbot can query new certificates from the acme server. <code> certbot --server https://playground.acme.libre </code> ===== Planned deployment ===== The trust chain could look as follows: - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by 1 - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine. - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for 2 lives on ACME server. The following things might be desirable, too: - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https://tools.ietf.org/html/draft-hallambaker-threshold-sigs-02|some Shamir-like secret sharing]] in place - Deploy multiple intermediate CAs / ACME-server "parallely" /wiki/data/pages/opennic/tls.txt Last modified: 4 months agoby koala