PKI » History » Version 1
Marc Dequènes, 2019-10-01 21:08
| 1 | 1 | Marc Dequènes | h1. PKI |
|---|---|---|---|
| 2 | |||
| 3 | h2. Self-Signed CAs |
||
| 4 | |||
| 5 | The DuckCorp CA was created when usage of HTTPS was not very common and certificates very expensive. Time proved we cannot trust the top CAs and their "broken security model":https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise thus we continued to use our own CA for quite some time. |
||
| 6 | Nowadays it is no more viable to operate a self-signed CAs as all softwares and providers rejects them thus we're now using Let's "Encrypt certificates":https://letsencrypt.org/. To counteract this loss we use another system (DANE), see below. |
||
| 7 | |||
| 8 | We plan to continue using this CA for non-user-facing services. |
||
| 9 | |||
| 10 | Aside from the main CA we also have two CAs for monitoring and backup services. They could have been sub-CAs but our tool does not support it. |
||
| 11 | |||
| 12 | h2. Let's Encrypt |
||
| 13 | |||
| 14 | As said above all user facing services are using Let's Encrypt or soon are (#676). |
||
| 15 | |||
| 16 | h2. DANE |
||
| 17 | |||
| 18 | Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. When possible services are configured to validate if the records are available (Postfix at least). |
||
| 19 | |||
| 20 | Web vhosts do not have a TLSA record yet, but this is coming (#675). |