PKI » History » Revision 2
Revision 1 (Marc Dequènes, 2019-10-01 21:08) → Revision 2/7 (Marc Dequènes, 2019-10-01 21:42)
h1. PKI h2. Self-Signed CAs The "DuckCorp CA":https://ca.duckcorp.org/ DuckCorp CA was created when usage of HTTPS was not very common and certificates very expensive. Time proved we cannot trust the top CAs and their "broken security model":https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise thus we continued to use our own CA for quite some time. Nowadays it is no more viable to operate a self-signed CAs as all softwares and providers rejects them thus we're now using Let's "Encrypt certificates":https://letsencrypt.org/. To counteract this loss we use another system (DANE), see below. We plan to continue using this CA for non-user-facing services. Aside from the main CA we also have two CAs for monitoring and backup services. They could have been sub-CAs but our tool does not support it. h2. Let's Encrypt As said above all user facing services are using Let's Encrypt or soon are (#676). h2. DANE Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. When possible services are configured to validate if the records are available (Postfix at least). Web vhosts do not have a TLSA record yet, but this is coming (#675).