[Cryptography] Apple's 13-month certificate policy

Raymond Burkholder ray at oneunified.net
Sun Feb 23 01:34:34 EST 2020


On 2020-02-22 9:15 p.m., John Levine wrote:
> In article <19f3eff7-5d48-4227-5e7d-02fa58f55bc8 at oneunified.net>,
> Raymond Burkholder <ray at oneunified.net> wrote:
>> And systems protected by certificates aren't just web servers sitting on
>> the same server as the dns server for the TXT based authorization.Â
>> There are email servers involved with certificates. No web front end.
> I have LE certs on my mail servers.  They're managed automatically
> with acme.sh and some python scripts that use a web API to insert
> the validation records into the DNS zones.
>
> If I didn't run my own DNS, this would be harder, but there are plenty
> of commercial DNS providers with APIs that allow zone updates.  Perhaps
> we've identified a business opportunity.
Yes, all this is not impossible.  I, too, manage my own DNS servers.  
Allocating the time to tie everything has been on my 'round-tuit' list 
for a very long time.

As it happens, my DNS servers are automated via SaltStack.  So that is 
the easy side of things.  It is now a matter of rebuilding my Dovecot 
server, automating it and its cert; rebuilding my old SendMail server 
into maybe Exim, and automating its cert; the web servers need to get 
their SaltStack client installed, and hooked into the provisioning 
process, ....

The real hard part is some older HP servers with their ILO.  Not quite 
certain how to automate their private key and cert request.  I hope the 
newer Dell with iDRAC have a better solution for getting their certs 
upgraded.  Can those be automated?

All of these services are scattered through various multi-hop ssh 
security zones, thus, designing the access patterns, and cert movements, 
will be an interesting challenge to choreograph.  A few command line 
scripts, some cut'n'paste, some service restarts, and things are ok for 
now every few months.

Some IaaS vendors I know might need to make a push on their own 
automation to manage their even larger set of certs -- on new as well as 
older gear.

Yep, business opportunity for sure.  I think many organizations could 
use a good dose of automation.  And probably a good dose of additional 
pki.  And maybe some revamping.  I've seen some long lived self-signed 
certs floating around on vpn tunnel setups. Issues?  Maybe. Probably.

For the less sophisticated little guy, 90 days is probably not much of 
an issue for manual processes.  If the process had to be invoked more 
frequently, I think the point of optimization for cost-per-unit-effort 
vs effectiveness may shift in a non-optimal direction.

But I have no idea as to how many little guys with independent systems 
there are 'out there' vs how many have fully automated solutions with 
their cloud providers, or even how effective those are.



More information about the cryptography mailing list