infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

step-ca: Re-deploy (again) with DCH CA R2

Browse Source 
Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.
This commit is contained in:
Dustin
2024-04-05 13:03:34 -05:00
parent 5c34fdb1c6
commit 3ba83373f3
5 changed files with 39 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
step-ca/README.md
View File

@@ -10,18 +10,19 @@ OpenID Connect, mTLS, and more.
## Offline Root CA
The *DCH Root CA R3* private key is managed externally from Step CA. It is
The *DCH Root CA R2* private key is managed externally from Step CA. It is
stored offline (on a flash drive in a fireproof safe). Only the CA certificate
is used by the online CA service, where it is provided to clients to include in
as a trust anchor in their respective certificate stores.
*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used,
and *DCH Root CA R1*, which has not been used for some time.
*DCH Root CA R2* replaces *DCH Root CA R1*, which has not been used for some
time. *DCH Root CA R3* also exists, but it is based on an ED25519 signature,
which is not supported by Firefox.
## Online Intermediate CA
Step CA manages the *DCH CA R3* intermediate certificate authority. The
Step CA manages the *DCH CA R2* intermediate certificate authority. The
private key for this CA is stored in the `intermediate_ca.key` file, encrypted
with the password in `password`. This key pair is needed by the online CA to
sign end-entity certificates.
@@ -29,7 +30,7 @@ sign end-entity certificates.
### ACME Provisioner
Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol.
Hosts can obtain certificates signed by *DCH CA R2* using the ACME protocol.
The CA will only sign certificates for names that map to addresses controlled
by the requesting client. For most machines, that means they can only get a
certificate for their hostname. Other names can be added using DNS CNAME