A placeholder for future work on an “in-house” certificate authority.
- The certificate for the new cl0secall.net CA is available here: http://cl0secall.net/files/cl0secall-ca.crt
- I’m working on drafting requirements for CA security
- I’m also drafting requirements for CA software
- I’m using the OpenSSL “CA” facility for the time being, but I’m aware that OpenSSL enables me to create or use a more scalable framework for a CA facility. I did a brief scan of the ‘net for such a package, but was unable to find any that at first glance didn’t seem to be using the OpenSSL “CA” facility. At some point I stumbled across TinyCA. I want to perform an evaluation on this software before using it in “production” but it seems promising.
- Setting up a PKI is not trivial. Cue rant: Numerous software packages require a fully-implemented PKI prior to use. Additionally, a number of appliances (most commonly, home routers) use SSL security. These often come with pre-built, self-signed certificated that are comparatively dangerous to use. Yet, documentation for these instances either trivializes the importance of a proper PKI setup, or provides some mechanism to create what’s billed as a “test” or “demo” CA implementation that ends up being used in production anyways. I’m looking at you, OpenVPN. (Justification for “Numerous” above: OpenVPN, IPSec, and anything that uses SSL/TLS, e.g. Apache, Dovecot, etc.)
- The CRL will be posted soon. I’ve been forced to revoke one certificate so far, due to it being signed incorrectly.