kubernetes

infra

kubernetes

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	3ba83373f3	step-ca: Re-deploy (again) with DCH CA R2 Although most libraries support ED25519 signatures for X.509 certificates, Firefox does not. This means that any certificate signed by DCH CA R3 cannot be verified by the browser and thus will always present a certificate error. I want to migrate internal services that do not need certificates that are trusted by default (i.e. they are only accessed programatically or only I use them in the browser) back to using an internal CA instead of the public pyrocufflink.net wildcard certificate. For applications like Frigate and UniFi Network, these need to be signed by a CA that the browser will trust, so the ED25519 certificate is inappropriate. Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA signature, and can therefore be trusted by Firefox, etc.	2024-04-05 13:03:34 -05:00
Dustin	1777262c15	dch-root-ca: Update to DCH Root CA R3 Since I shut down _step-ca_, nothing uses _DCH Root CA R2_ anymore. I've created a new CA using ED25519 key pairs, named _DCH Root CA R3_.	2024-02-21 09:16:26 -06:00
Dustin	f7a8f391ea	dch-webhooks: Configure SSH cert signer The dch-webhooks tool now provides an operation for hosts to request a signed SSH certificate from the SSH CA. It's primarily useful for unattended deployments like CoreOS Ignition, where hosts do not have any credentials to authenticate with the CA directly.	2023-10-10 22:31:44 -05:00

Author

SHA1

Message

Date

Dustin

3ba83373f3

step-ca: Re-deploy (again) with DCH CA R2

Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.

2024-04-05 13:03:34 -05:00

Dustin

1777262c15

dch-root-ca: Update to DCH Root CA R3

Since I shut down _step-ca_, nothing uses _DCH Root CA R2_ anymore.
I've created a new CA using ED25519 key pairs, named _DCH Root CA R3_.

2024-02-21 09:16:26 -06:00

Dustin

f7a8f391ea

dch-webhooks: Configure SSH cert signer

The *dch-webhooks* tool now provides an operation for hosts to request a
signed SSH certificate from the SSH CA.  It's primarily useful for
unattended deployments like CoreOS Ignition, where hosts do not have
any credentials to authenticate with the CA directly.

2023-10-10 22:31:44 -05:00

3 Commits (61bfd8ff1ab54315ffa8a16942a9ad94a78a56ca)