[Cryptography] Apple's 13-month certificate policy
Raymond Burkholder
ray at oneunified.net
Sun Feb 23 01:34:34 EST 2020
On 2020-02-22 9:15 p.m., John Levine wrote:
> In article <19f3eff7-5d48-4227-5e7d-02fa58f55bc8 at oneunified.net>,
> Raymond Burkholder <ray at oneunified.net> wrote:
>> And systems protected by certificates aren't just web servers sitting on
>> the same server as the dns server for the TXT based authorization.Â
>> There are email servers involved with certificates. No web front end.
> I have LE certs on my mail servers. They're managed automatically
> with acme.sh and some python scripts that use a web API to insert
> the validation records into the DNS zones.
>
> If I didn't run my own DNS, this would be harder, but there are plenty
> of commercial DNS providers with APIs that allow zone updates. Perhaps
> we've identified a business opportunity.
Yes, all this is not impossible. I, too, manage my own DNS servers.
Allocating the time to tie everything has been on my 'round-tuit' list
for a very long time.
As it happens, my DNS servers are automated via SaltStack. So that is
the easy side of things. It is now a matter of rebuilding my Dovecot
server, automating it and its cert; rebuilding my old SendMail server
into maybe Exim, and automating its cert; the web servers need to get
their SaltStack client installed, and hooked into the provisioning
process, ....
The real hard part is some older HP servers with their ILO. Not quite
certain how to automate their private key and cert request. I hope the
newer Dell with iDRAC have a better solution for getting their certs
upgraded. Can those be automated?
All of these services are scattered through various multi-hop ssh
security zones, thus, designing the access patterns, and cert movements,
will be an interesting challenge to choreograph. A few command line
scripts, some cut'n'paste, some service restarts, and things are ok for
now every few months.
Some IaaS vendors I know might need to make a push on their own
automation to manage their even larger set of certs -- on new as well as
older gear.
Yep, business opportunity for sure. I think many organizations could
use a good dose of automation. And probably a good dose of additional
pki. And maybe some revamping. I've seen some long lived self-signed
certs floating around on vpn tunnel setups. Issues? Maybe. Probably.
For the less sophisticated little guy, 90 days is probably not much of
an issue for manual processes. If the process had to be invoked more
frequently, I think the point of optimization for cost-per-unit-effort
vs effectiveness may shift in a non-optimal direction.
But I have no idea as to how many little guys with independent systems
there are 'out there' vs how many have fully automated solutions with
their cloud providers, or even how effective those are.
More information about the cryptography
mailing list