1.0.0 Release IaaS

docs/adr/003-pki.md

@@ -0,0 +1,57 @@
+# ADR 003 - PKI
+
+## Date
+
+- Feb/23/2026
+    - First documentation
+- Mar/06/2026
+    - Add expiry date observation way
+
+## Status
+
+- Accepted
+
+## Context
+
+- All communications except loop-back, should be encrypted
+- ssh, and TLS communications needs key and certificates
+- Public CA never issues for private domain, '.internal'
+- Automate issuing and renewing certificates
+- Revocation is not needed in this single and small environment.
+
+## Consideration
+
+### Automate protocol
+
+- JWK/JWT provisioner
+    - It is hard to manage pre-shared secret values than ACME \(Especially nsupdate\)
+- authorized_keys
+    - When the nodes are increased, it is hard to manage authorized_key.
+    - SSH ca.pub allow all the certificates signed by ca key, so it is not needed to manage authroized_keys from each hosts.
+
+### Revocation
+
+- CRL/OCSP/OCSP-stappling
+    - All long-term certificates are managed manually
+    - All short-term certificates are managed by ACME
+    - When the certificates are leaked, it is easier to change intermediate CA itself
+
+## Decisions
+
+- Operate private CA
+    - Root CA \(Store on coldstorage\) - 10 years
+    - Intermediate CA \(Online server as Step-CA\) - 5 years
+    - SSH CA - No period
+- Manage certificates with two track
+    - ACME with nsupdate \(using private DNS\) for web services via Caddy - 90 days
+    - Manual issuing and managing leaf certificate for infra services for independency - 2.5 years
+    - All manual issuing leaf certificate expiry date is observed by x509-exporter on infra vm
+- Manage SSH certificates
+    - *-cert.pub for host \(with -h options\)
+    - *-cert.pub for client \(without -h options\)
+
+## Consequences
+
+- Private PKI is operated
+- Private SSH CA is operated
+- All external/internal communication is encrypted as TLS re-encryption. \(E2EE\)