Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
opennic:tls [2020-05-29T11:07:04Z]
deep42thought created
opennic:tls [2021-03-01T09:07:50Z] (current)
deep42thought [How to get started] avoid MITM attack
Line 3: Line 3:
 ===== Current deployment ===== ===== Current deployment =====
  
-There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC (and currently also all ICANN and all peered) top level domains.+There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]]).
 The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]]. The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]].
  
Line 10: Line 10:
   * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]]   * The acme server runs experimental software. If you have any problems getting a certificate, feel free to contact [[opennic@eckner.net|Erich Eckner]]
  
 +===== How to get started =====
 +
 +The acme server runs on a domain which must be validated by the same root certificate which is used for other opennic domains.
 +Thus, one must download the root certificate (and ignore the certificate error on the https connection) and install it as a trusted root certificate.
 +If you like to avoid possible MITM attacks on the download, you can verify the [[https://eckner.net/certs/sha512sums|sha512sum]] of the certificate, too (this file also contains checksums for older and for an unrelated ca). On arch linux, one would run:
 +<code>
 +cd /usr/share/ca-certificates/trust-source/anchors
 +curl --insecure -o opennic_root_ca.crt https://playground.acme.libre/opennic_root_ca.crt
 +curl https://eckner.net/certs/sha512sums | sed 's/  \S\+\(opennic_root_ca\.crt\)$/  \1/;t;d' | sha512sum -c
 +trust extract-compat
 +</code>
 +Check, that the certificate was installed correctly:
 +<code>
 +curl https://playground.acme.libre/
 +</code>
 +Then, certbot can query new certificates from the acme server.
 +<code>
 +certbot --server https://playground.acme.libre
 +</code>
 ===== Planned deployment ===== ===== Planned deployment =====
 +
 +The trust chain could look as follows:
  
   - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS   - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS
-  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by (a) - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine. +  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine. 
-  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by (b). Private key for (b) lives on ACME server.+  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for lives on ACME server.
  
 +The following things might be desirable, too:
 +  - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https://tools.ietf.org/html/draft-hallambaker-threshold-sigs-02|some Shamir-like secret sharing]] in place
 +  - Deploy multiple intermediate CAs / ACME-server "parallely"
  • /wiki/data/attic/opennic/tls.1590750424.txt.gz
  • Last modified: 9 months ago
  • by deep42thought