# ADR 003 - PKI

## Date

- Feb/23/2026
    - First documentation
- Mar/06/2026
    - Add expiry date observation way

## Status

- Accepted

## Context

- All communications except loop-back, should be encrypted
- ssh, and TLS communications needs key and certificates
- Public CA never issues for private domain, '.internal'
- Automate issuing and renewing certificates
- Revocation is not needed in this single and small environment.

## Consideration

### Automate protocol

- JWK/JWT provisioner
    - It is hard to manage pre-shared secret values than ACME \(Especially nsupdate\)
- authorized_keys
    - When the nodes are increased, it is hard to manage authorized_key.
    - SSH ca.pub allow all the certificates signed by ca key, so it is not needed to manage authroized_keys from each hosts.

### Revocation

- CRL/OCSP/OCSP-stappling
    - All long-term certificates are managed manually
    - All short-term certificates are managed by ACME
    - When the certificates are leaked, it is easier to change intermediate CA itself

## Decisions

- Operate private CA
    - Root CA \(Store on coldstorage\) - 10 years
    - Intermediate CA \(Online server as Step-CA\) - 5 years
    - SSH CA - No period
- Manage certificates with two track
    - ACME with nsupdate \(using private DNS\) for web services via Caddy - 90 days
    - Manual issuing and managing leaf certificate for infra services for independency - 2.5 years
    - All manual issuing leaf certificate expiry date is observed by x509-exporter on infra vm
- Manage SSH certificates
    - *-cert.pub for host \(with -h options\)
    - *-cert.pub for client \(without -h options\)

## Consequences

- Private PKI is operated
- Private SSH CA is operated
- All external/internal communication is encrypted as TLS re-encryption. \(E2EE\)