Project

General

Profile

Actions

PKI » History » Revision 3

« Previous | Revision 3/7 (diff) | Next »
Marc Dequènes, 2020-04-06 14:42


PKI

Self-Signed CAs

Current Status

These self-signed Cas are in use in DC's infrastruture:
  • duckcorp : the main CA, we plan to continue using it for non-user-facing services
  • duckcorp-backup : used for our backup software to secure TLS communications
  • duckcorp-monitoring : used for our monitoring software to secure TLS communications

The duckcorp-backup and duckcorp-monitoring CAs could have been sub-CAs but our tool does not support it.

TODO: more technical details

Let's Encrypt

Current Status

All user facing services are using Let's Encrypt or soon are (#676).

TODO: more technical details

DANE

DANE is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using DNSSEC.

Current Status

Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates.

Services supporting DANE (or WIP):
  • Postfix
  • Web vhosts do not have a TLSA record yet, but this is coming (#675).

Checking DANE

The danetls tool is not packaged but there is a web service called danecheck by the same author.

DANE adoption

These are just notes to check on DANE adoption in various client software.

Updated by Marc Dequènes over 4 years ago · 3 revisions